Author Archives: privacynewshighlights

01-15 December 2013


US – NTIA Announces Facial Recognition Meeting Schedule

An announcement in the Federal Register details the National Telecommunications and Information Administration (NTIA) series of eight meetings related to the “Consumer Data Privacy Code of Conduct” on facial recognition technology first reported last week . The meetings will be held in Washington, DC, and will be open to the public. The report includes the dates of the eight meetings, beginning with one on February 6 aimed at beginning a “factual, stakeholder-driven dialogue regarding the technical capabilities and commercial uses of facial recognition technology.” The NTIA plans to circulate a draft for public comment following the last meeting on June 24. [Government Security News]

US – Next NTIA Project to Focus on Facial Recognition

The National Telecommunications and Information Administration (NTIA) announced it is launching a new multi-stakeholder process that will focus on the commercial use of facial recognition technology. While the technology has potential for innovative use that could improve services for consumers, writes Department of Commerce Assistant Secretary for Communications Lawrence Strickling, “the technology poses distinct privacy challenges. Digital images are increasingly available, and the importance of securing faceprints and ensuring consumers’ appropriate control over their data is clear.” The NTIA, which most recently used the multi-stakeholder process to release a code of conduct to improve privacy notices on mobile devices, will convene the first meeting to explore privacy safeguards for facial recognition technology on February 6 at 1 p.m. The public and all stakeholders are invited, and the meeting will be webcast. [NTIA]


CA – Denham Calls for Amendment to Law; Ring Voices Concerns

Citing concerns that public entities are not doing enough to raise awareness of possible health, safety and environmental concerns, BC Information and Privacy Commissioner Elizabeth Denham is recommending the government amend the Freedom of Information and Protection of Privacy Act. In a report released this week, Denham raises concerns that public bodies are not aware of or trained in their duty to inform residents of potential dangers. Separately, the CEO of a health research firm is cautioning that privacy concerns in BC limit researcher access to data for healthcare innovations. And in Newfoundland and Labrador, Information and Privacy Commissioner Ed Ring is concerned the province’s premier’s office “improperly withheld” documents related to search and rescue efforts. [Times Colonist]

CA – Report: Supreme Court Ruling Suggests All Data Is Not Equal

In a complex ruling, the Supreme Court of Canada has found that data stored on a hard drive “is not equal to the same material stored in a filing cabinet.” The case, which involved a man’s conviction for growing marijuana, is what the Canadian Bar Association’s called “a marker (in the ground) for digital privacy law in Canada,” the report states, noting the man’s lawyer “succeeded in convincing the justices that computers are ‘stand-alone places’ that require specific search warrants.” [SC Magazine]

CA – Bertrand Denies Support of Data-Sharing Bill

New Brunswick Privacy Commissioner Anne Bertrand has said she did not give the government input or support for a proposed government data sharing bill. Earlier in the week, the education minister said Bertrand had supported Bill 23—a bill that would make it easier for government agencies to share personal information. In a letter to Speaker Dale Graham, Bertrand wrote, “With respect, I was surprised to hear the minister’s comments to this effect, as her comments do not accurately reflect the nature of the discussions that took place between our office and department officials on this matter.” [CBC News]


WW – World’s Leading Writers Demand “Digital Bill of Rights”

More than 500 of the world’s top writers have banded together to condemn the scale of government surveillance around the globe. The signatories, including five Nobel Prize winners and authors from 81 different nations, are urging the United Nations to create an international, digital bill of rights. The move comes just a day after eight of the globe’s largest tech companies called for limits to state surveillance. The recent revelations about the extent to which governments spy on individuals has undermined the human right to “remain unobserved and unmolested … This human right has been rendered null and void through abuse of technological developments by states and corporations for mass surveillance purposes,” the statement says. “A person under surveillance is no longer free; a society under surveillance is no longer a democracy,” it adds. [The Guardian]

US – Study: Smartphone Users Will Pay More for Privacy

A study by University of Colorado Profs. Donald Waldman and Scott Savage has found “average smartphone users are willing to pay a few dollars for mobile apps that maintain privacy.” The team surveyed 1,726 people from seven U.S. cities, finding “consumers are willing to pay $4.05 to conceal contact lists, $3.58 to conceal the contents of text messages, $2.28 to shield browser history, $1.75 to block the phone’s ID number and $1.19 to conceal personal locations,” the report states. “We wanted to put a number out there,” Savage said. “Instead of saying what you feel or anecdotally thinking privacy is important, let’s put a number on it. Then people can have a real discussion.” [Daily Camera]

WW – Customized Airline Deals Raise Privacy Concerns

Industry reports that airlines are looking to roll out customized airfare packages for consumers based on collected data that could include income, home location and travel patterns. They are raising privacy concerns among some consumer advocates and have received the attention of the U.S. Department of Transportation (DoT). A spokeswoman for Airlines for America said, “We expect to see more airlines adopt this trend in commerce as they continue to offer passengers a more personalized travel experience.” However, Consumer Travel Alliance’s Charles Leocha said, “It will be the death of comparison shopping.” The DoT is scheduled to meet on Monday to discuss airfare pricing and could recommend federal legislation requiring airlines to disclose what data they’ve collected on travelers, the report states. [L.A. Times]

US – Many Stores Tracking Shoppers This Holiday Season

U.S. retailers are putting small tracking devices to work monitoring shoppers and their cellphones, to “tally how long people wait in line and where they shop.” The Future of Privacy Forum (FPF) has estimated “about 1,000 retailers, from tiny boutiques to Macy’s Inc., have outfitted their aisles with sensors to monitor shoppers’ paths,” the report states. While FPF has asked retailers to notify shoppers they are using such technology—and eight makers of tracking devices asked their clients to post such disclosures, the report notes, “the idea went nowhere with retailers.” Other retailers, meanwhile, have cited privacy concerns as their reason for holding off on using tracking technology, and some customers have complained about such practices as stores using WiFi signals to track customers through their cellphones. [The Wall Street Journal]

UK – Just 9% of Customers Have Faith Brands Will Secure Their Data

Japanese IT firm Fujitsu has released findings of a survey of 3,000 UK consumers that found just nine percent “have any faith in organizations to protect their data.” Further, 20% said they would inform police of a data loss, considering it a criminal offense, and 63% said they do not want companies to use their data to improve their experience with the company. “The results of our research showed consumer tolerance for data loss is at an all-time low,” said Fujitsu, Chief Security Officer, UK & Ireland David Robinson. Research was conducted by OnePoll, an independent research consultancy based in London. The consumers in the UK completed an online survey in October. [Fujitsu]

WW – Getting to Simpler, More Consumer-Friendly Privacy Policies

Prior to stepping down from the FTC, David Vladeck “frequently railed against the current generation of consumer-facing privacy policies” as it becomes clear that consumers just don’t read or understand them. And there is data to back him up, notes GMAC Chief Privacy Official Allen Brandt. This Privacy Perspectives post looks into several examples of creative ways companies are conveying their privacy policies to consumers, including how GMAC recently converted its entire consumer-facing privacy policy into a series of one-minute videos. [Full Story]


EU – France Gets Criticism for New Surveillance Law

France passed a law expanding government surveillance activities and the country is getting heavily criticized by privacy advocates for the move. The new law “essentially means that the police, intelligence and anti-terrorist agencies can now spy on Internet users in real-time, across computers, tablets and smartphones.” Previously, these entities needed approval from a National Commission for the Control of Security Intercepts judge before conducting these activities. One privacy expert voiced his disappointment with the CNIL, the French DPA, and noted that the new law “shows (that) the EU governments still have few qualms about mass surveillance of their own populations, even as they protest about NSA.” [SC Magazine]


WW – Microsoft Beefing Up Encryption Following Gov’t Spying Revelations

A Microsoft blog announces the company is “taking steps to ensure governments use legal process rather than technological brute force to access customer data.” The company says allegations that some governments circumvent online security measures to collect private customer data put such governments alongside such threats as sophisticated malware and cyber attacks. As such, Microsoft plans to encrypt all services, reinforce legal protections for customers and expand the transparency of its software code. Microsoft General Counsel Bradford Smith said revelations the government might be hacking into corporate data centers “was a bit like an earthquake, sending shock waves across the tech sector.” [PC World]

EU Developments

EU – One-Stop-Shop Principle Delays Progress on Regulation

The proposed EU Data Protection Regulation suffered a setback when data protection authorities tried to reach agreement, indicating the update to current law will likely not occur until after European Parliament elections next year. An EU diplomat said the delay is due to concerns by Germany’s data protection authority that the one-stop-shop principle would enact weaker rules than the country currently has in place. “Harmonization, yes, but not at any price,” said a spokesman for Germany’s secretary of state in the federal ministry of the interior. Meanwhile, the head of the legal service for the European Council said the one-stop-shop rule would undermine human rights. [EU Observer] see also: [The EU and APEC: A Roadmap for Global Interoperability?]

EU – DPAs Say They Aren’t Ready for Regulation

While European data protection authorities say they aren’t ready for the proposed data protection regulation, multinationals such as Facebook and Google are tasked with untangling 28 different legal frameworks in the EU in order to address the issue. Irish Data Protection Commissioner Billy Hawkes says , under the proposed regulation, he would no longer be able to take complaints from Irish citizens about companies that are headquartered in other member states. Instead, Hawkes would be responsible for regulating the multinationals headquartered in Ireland, and therefore would be required to respond to the complaint of any EU citizen. Meanwhile, European Commission Vice President Viviane Reding has expressed frustration with the head of the EU Council’s legal service after he issued an opinion on the proposed rules. [PCWorld] See also: [Draft EU Data Protection Package: A History and Look to the Finish Line]

EU – Member States Need More Time with Regulation Proposal

The EU’s data protection overhaul faces months of delays after some member states have demanded more time to sign off on a law that would fine companies as much as 100 million euros for privacy violations. An anonymous EU official said the measures are unlikely to pass before European Parliament elections in May, noting the measure is “too complicated and sensitive” for member states to reach a deal this week. “If there’s not the necessary political will, the whole regulation is at risk,” said MEP Jan Philipp Albrecht. [Bloomberg]

EU – EU, U.S. Officials Indicate Potential Privacy Agreement at DPC

The keynote stage at the IAPP Data Protection Congress in Brussels became a diplomatic back-and -forth this morning as Constantijn van Oranje-Nassau, Head of Cabinet of Vice-President of the European Commission, Commissioner for the Digital Agenda Neelie Kroes, first delivered the European Commission’s view of data protection and then was followed by an address from U.S. Federal Trade Commissioner Julie Brill. Both emphasized the need to encourage innovation while protecting privacy and addressed whistleblower Edward Snowden’s revelations about the activities of U.S. National Security Agency and other intelligence agencies. Reading between the lines, writes Publications Director Sam Pfeifle in this report from the event for The Privacy Advisor, there were reasons to be encouraged that Safe Harbor and the free flow of data between continents will continue. [Privacy Advisor]

EU – Top Six Inadequacies Found During Privacy Audits

Would you be able to guess the top six failure points found in the last 20 privacy audits conducted by London’s Osborne Clarke? At the IAPP Europe Data Protection Congress, that is exactly what attendees were tasked with doing in a Family Feud/Family Fortunes-style challenge of determining just what the “Survey says.” In this exclusive for The Privacy Advisor, Publications Director Sam Pfeifle details the top failure points highlighted during the “Audit Programmes” session. Some of the results were not what attendees were expecting—with such factors as “excessive access to data” and “inadequate data breach plans” not making the top-six list. [Privacy Advisor] See also: [Ten Steps to a Quality Privacy Program, Part Five: Building an Audit Plan]

EU – Pan-Euro Law Likely Means ICO Restructuring

Pending new pan-Europe legislation will decrease revenues for the UK Information Commissioner’s Office (ICO), meaning that it will likely change the way it handles casework and enquiries. An ICO spokesperson says this will allow the office to “identify and address wider compliance issues, and only where appropriate, to address individual concerns.” A consultation document titled “Looking Ahead, Staying Ahead: Towards a 2020 Vision for Information Rights” outlines the planned changes to the regime, including coordinating more with other organisations and regulators, the report states. The consultation is open for comment through 7 February. [SC Magazine]

EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent.” Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

EU – New Dutch Fining Powers Expected in 2015

Dutch Data Protection Authority Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 4 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act. Jeroen Terstegge examines what to expect as the Council of State advises on the new fining powers likely to come into force only on January 1, 2015. [The Privacy Advisor]

EU—Royal Decree Transposes Directive into Belgian Law

The Belgian government recently issued a royal decree that lays down broad data retention obligations for telecom, Internet access and webmail providers. The Royal Decree transposes the EU Data Retention Directive into Belgian law. [Details]

EU — New Danish Whistleblowing Legislation Takes Effect

As of 1 January 2014, new Danish legislation concerning whistleblowing will take effect. According to the new legislation, all Danish companies in the financial sector must have a whistleblower scheme that enables employees and board members anonymously to report any breach of the financial regulation.  [Details]

EU — Customer Care Outside the EU, New Rules Coming from the Italian DPA

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, provides its general rules to protect the privacy of Italian citizens. [Details]

EU—Datagate: Garante and DIS Enter Joint Agreement

The Garante and DIS have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet,” writes Panetta & Associati Managing Partner Rocco Panetta. [Details]

UK—Tribunal Overturns ICO’s £300,000 Spam Texts Fine

The General Regulatory Chamber, which allows rights of appeal against decisions of the UK Information Commissioner’s Office (ICO), has overturned an earlier £300,000 fine for the sending of unwanted text messages.  [Details]

UK—Ministry of Justice Fined £140,000 for E-mailing Prisoner Details to Inmates’ Families

The Information Commissioner’s Office (ICO) has served the Ministry of Justice (MoJ) with a £140,000 monetary penalty after the details of all prisoners serving at HMP Cardiff were e-mailed to three of the inmates’ families. [Details]

UK—ICO to Update Privacy Policy Guidance

The Information Commissioner’s Office (ICO) has announced that it will be updating its privacy policy guidance to reflect changes in privacy practices and technology. [Details]

UK—ICO Issues Code on Practice of Anonymisation

Anonymisation is of particular relevance at the moment, given the increased amount of information being made publicly available through Open Data initiatives and through individuals posting their own personal data online. Furthermore, the concept of anonymisation is fundamental for organizations that intend to take advantage of the possibilities offered by Big Data analytics without putting at risk the privacy of the data subjects. [Details]

Facts & Stats

WW – Data-Mining Software Biz Expects To Raise $100M

The New York Times reports on a data-mining software company that, on Thursday, was expected to file a notice that it has raised $100 million, putting a $9 billion valuation on the company. Palantir Technologies, which started as a CIA-funded data-mining company, just three months ago raised $196 million on a $6 billion valuation. Its initial customer base had been U.S. defense and intelligence contractors, but it now generates 60 percent of its revenue from commercial sources. The money raised is expected to be used in corporate expansion. Palantir currently employs 1,200 individuals in the U.S., Australia, Britain and Singapore. The Privacy Advisor recently reported on the growth of Big Data privacy jobs. [Source] [What Makes a Good Privacy Pro?] [Social Media Guru Deletes Facebook Account, Citing Need to “Take a Stand”]


US – The Impact of New Payment Card Industry Standards on Business

Version 3.0 of the Payment Card Industry Data Security Standard (PCI-DSS) has been released by the PCI Security Standards Council. The security requirements are intended to strengthen the security of cardholder data and encourage the adoption of uniform data security standards within the payment card industry. PCI-DSS applies to all entities that are involved in payment card processing. This includes merchants, processors, acquirers, issuers and service providers as well as entities that store, process and transmit cardholder data. [The Privacy Advisor]

US – Social Media Guidance for Financial Institutions

After taking into account comments received during the first few months of this year, the Federal Financial Institutions Examination Council (FFIEC) has issued its final guidance “to help financial institutions understand the applicability of existing requirements and supervisory expectations associated with the use of social media.” FFIEC says that financial institutions should have risk management programs including policies and procedures to “identify, measure, monitor and control” the use of social media and risks related to it. The guidance also recommends institutions provide guidance and training for employees as well as oversight, audit and compliance functions. [Read Guidance]

CN – Measures Clarify Rules for Chinese Credit Reference Agencies

The People’s Bank of China put out Administrative Measures for Credit Reference Agencies to supplement the Administrative Regulations on the Credit Information Collection Sector. Hunton & Williams’ Privacy and Information Security Law Blog reports that the measures provide more detail to the regulations, which “established a series of rules for the collection, use, processing, disclosure and transfer of personal information by credit reference agencies.” The measures require agencies that handle personal information to gain pre-approval for licensing before they incorporate the data and state that all credit reference agencies may experience “enhanced surveillance” in certain circumstances, including if the agency is involved in a data breach incident or has failed to comply with reporting obligations, among others. The measures take effect on December 20.


US – GINA: Complying With this Camouflaged Privacy Law

The Genetic Information Non-Discrimination Act of 2008 (GINA) regulates employers’ collection, use, safeguarding and disclosure of “genetic information,” making it a privacy statute, writes Philip Gordon — and one with which it is becoming increasingly difficult to comply. Social media posts celebrating a family member’s cancer remission or a son’s trip to the ER for asthma contain “genetic information” in the eyes of GINA, Gordon writes, adding, “Recent (Equal Employment Opportunity Commission) enforcement actions and private class-action filings as well as the increasing prevalence of personal social media in the workplace highlight the need for organizations to address, or revisit, their compliance with GINA.” Find out more about the EEOC’s implementing regulations and how to mitigate risk in your organization.  [Privacy Tracker]

US – Court to Hear California DNA Law Arguments

A panel of 11 Ninth Circuit Court of Appeals judges will hear oral arguments today in a case questioning the constitutionality of California’s DNA collection law. The law requires police to collect samples from every person arrested, the report states, noting the Ninth Circuit required attorneys on both sides of the California case to revise their arguments after the U.S. Supreme Court ruled 5-4 to uphold Maryland’s narrower DNA collection law. While “California Attorney General Kamala Harris and the Obama administration are both urging the court to uphold California’s law as a constitutional and powerful law enforcement tool,” the ACLU argues it is not constitutional because not all those arrested are charged with crimes. [The Associated Press]


WW – EFF Criticises Google for Removing Android 4.4.2 ‘Vital Privacy Feature’

The Electronic Frontier Foundation (EFF) has criticized Google’s removal of a privacy feature in a new Android 4.4.2 update, Computerworld UK reports. App Ops was a feature that gave users granular control over app permissions—a feature that privacy groups have long advocated for, the report states. The EFF’s Peter Eckersley said the app’s removal is “alarming news.” He also said he was told by Google that the feature was not yet supposed to be released as it could break some apps. Meanwhile, representatives of Google are expected to argue in the UK’s High Court that a case against the company for ignoring Safari users’ requests to not have cookies placed on their devices should be dropped. A Google spokesman said, “We’re asking the court to reexamine whether this case meets the standards required in the UK for a case such as this to go to trial.” [Full Story]

WW – Google to Cache All Gmail Images, to Some Confusion

Google announced it will now cache all e-mail images by default to improve user experience and security as well as load-speed. The move has apparently caused a little confusion as to whether it affects user privacy. Ars Technica initially reported that e-mail marketers will no longer be able to receive information directly from Gmail users. ClickZ lists the six data points collected by marketers from e-mail display images. Ron Amadeo of Ars Technica wrote, “While this means improved privacy from e-mail marketers, Google will now be digging deeper than ever into your e-mails and literally modifying the contents.” However, Wired reports the move will make it easier for senders to know if an e-mail has been opened. According to an updated Ars Technica report, senders who embed a code into the e-mail will know more about which ones are viewed. MailChimp has also blogged about the changes and what they mean for users. [Ars Technica]]

Health / Medical

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [HHS Report]

Horror Stories

US – Breaches Affect Health Providers, College System and Discussion Forum

Horizon Blue Cross Blue Shield is notifying nearly 840,000 subscribers that their personal information may have been affected by a stolen laptop, reports. While the laptops were password-protected, the data was unencrypted. The information contained may have included names, addresses, dates of birth and Social Security numbers. Meanwhile, Kaiser Permanente has reported a privacy breach at its Anaheim Medical Center to 49,000 patients. A breach at a community college in Arizona may cost $14 million. And a Swedish daily newspaper says it has uncovered the identity of hundreds who left comments on Disqus websites. The company says its network has not been breached, however, and the publication breached privacy policies to gain the information. []

US – Breach May Hit 465,000 Cardholders; 2M Passwords Stolen

Financial services giant JP Morgan Chase is alerting at least 465,000 holders of prepaid cash cards issued by the bank that their personal information may have been accessed by cybertheives. The cards were used by corporations to pay employees and for government agencies to issue tax refunds, unemployment compensation and other benefits, the report states. The company has located and fixed the vulnerability and has alerted law enforcement. CNN reports , in a separate incident, keylogging software that has been installed on countless computers around the world may have captured the login credentials of about two million users of 93,000 websites, including popular sites such as Google, Facebook, Twitter and Yahoo. [Reuters]

US – LinkedIn Seeks Class-Action Dismissal

LinkedIn is asking a federal judge “to toss out a class-action suit that claims the social networking company hacks into users’ accounts for promotional use .” In an argument filed in a California federal court, the company asserted the suit is “meritless,” contending LinkedIn members “consent to the site’s terms, which allow LinkedIn to send invitations to their contacts,” the report states. The company has also suggested the suit’s four plaintiffs should have been aware, as “any ‘reasonably prudent Internet user’ would have realized the permissions they were granting to the company after going through the various permission screens for the ‘Add Connections’ feature.” [SC Magazine]

Identity Issues

WW – AVG Unveils WiFi Do-Not-Track App for Mobile

With an influx of in-store mobile WiFi tracking, AVG Technologies has developed and rolled out a free smartphone app designed to block WiFi location tracking. The new “DNT” feature is an add-on to AVG’s PrivacyFix app for Android. When downloaded, the technology prevents the mobile device from transmitting its MAC address. AVG Vice President of Privacy Products Jim Brock said that until retailers adopt “meaningful standards,” including transparency, or provide consumers with an opt-out mechanism, “consumers are better off shutting out this kind of tracking.” [Forbes]

Internet / WWW

WW – Snowden Leaks “Gumming Up” Cloud Industry

Hightail CEO Brad Garlinghouse has said that the recent Edward Snowden revelations about government surveillance are “gumming up” the cloud computing industry. Hightail offers businesses cloud storage and document tracking services, but new difficulties have shaken the cloud business, he said. “The Snowden effect has extended the sales cycle for non-U.S. companies looking at doing business with U.S. companies,” Garlinghouse said, adding, “There are more questions about data security, encryption and (security) key management.” [CNET News]

Law Enforcement

US – Boston Police Halt License Scanning Program

The Boston Police Department “has indefinitely suspended” its use of license-plate readers to check for motor vehicle violations in light of privacy concerns. “The police inadvertently released to the Globe the license plate numbers of more than 68,000 vehicles that had tripped alarms on automated license-plate readers over a six-month period,” the report states, noting that release “triggered immediate doubts about whether the police could reliably protect the sensitive data.” Spokeswoman Cheryl Fiandaca said the department suspended the program while Commissioner William Evans reviews it “so he knows that it’s being used effectively and that it doesn’t invade anyone’s privacy.” [The Boston Globe]


WW – Twitter Partnership Aims to Bolster Location Services

Twitter has reached a multi-year licensing agreement with Pitney Bowes in order to tap into its location data for mobile services. Twitter will use Pitney Bowes’ Location Intelligence to bolster location-sharing and possibly improve ad targeting, tweets and map locations. The technology can help combine “location data for tweets with buying patterns, behaviors, preferences and influencers,” the report states, as well as cross-reference tweets with nearby retailers and users. [MediaPost News]

WW – Twitter Starts Ad Targeting; Automaker Tracks from Showroom

Social network Twitter is set to begin rolling out cookie-based targeted advertising to show users ads based on their browsing history, Reuters reports. Twitter now joins other large online businesses including Google, Facebook and Amazon in using cookies to help with targeted ads. Meanwhile, AdAge reports on one automaker’s attempt to better understand the shopping behavior of customers, not only in its showroom but in its competitors’ as well. By using the services of PlaceIQ , Mazda can target ads based on highly specific consumer data—including location. A Mazda representative said that PlaceIQ helps “us define behaviors based on real-world location … The value of this to us is we’re actually getting real-world (indicators).” [AdAge]


WW – Report: Developing Countries Need Privacy Laws to Bridge the Gap

UN trade and development body UNCTAD has released a report stating developing countries need to “adopt and enforce privacy and data protection laws” in order to bridge the “digital divide” that has arisen as a result of cloud computing. As of 2013, 101 countries had data privacy laws or bills, but only 40 developing economies could say the same. While the cloud provides many benefits, such economies must also be aware of the risks. Privacy International’s Carly Nyst said in developing countries, the absence of privacy laws and “weak accountability mechanisms” means cloud data is vulnerable, and no government or company should promote cloud services before ensuring privacy. [The Guardian]

Online Privacy

US – Internet’s Sad Legacy: No
More Secrets

In a feature for The New York Times, Nick Bilton writes that amidst reports of online tracking, “outfits like Snapchat have exploded onto the scene … holding out the promise that all those selfies, texts and e-mails will simply vanish … But the fact is, many services that claim to offer that rarest of digital commodities—privacy—don’t really deliver.” Princeton Prof. Edward Felten weighs in, cautioning, “Just because information is unavailable to you and you don’t see it doesn’t mean that it is not being captured, stored or even seen by someone else in transit.” The ACLU’s Ben Wizner suggests “change can happen” if “technologists that are disillusioned by the incessant tracking will use their skills to make surveillance more costly.” [Full Story]

WW – New Study Uses Bots to Track the Trackers

A new study led by researchers at Princeton University and Belgium’s KU Leuven has discovered patterns of discrimination based on traits such as affluence levels. Advertising and marketing firms often keep their tracking methods obscure, making it difficult for privacy advocates to demonstrate how the commercialization of online data can isolate consumers into their own “filter bubbles.” To circumvent that, the researchers have released bots that mimic real consumers—including fake profile traits such as age, gender, affluence level, location and interests—to come to a better understanding of how online businesses track, categorize and possibly discriminate against individuals. The research is being led by Princeton Prof. Arvind Narayanan—one of the early progenitors of Do Not Track. A spokesman for the U.S. Federal Trade Commission said, “We welcome research into privacy and technology issues, and we look forward to reviewing the research results.” [Forbes]

US – AT&T Offers Discount to Users Willing to Be Tracked

AT&T has recently rolled out plans to offer high-speed Internet, including a 30-percent discount for users willing to be tracked. AT&T’s Fletcher Cook said, “With AT&T Internet Preferences, you allow us to use your web browsing activity … to provide you with more relevant offers and advertising.” Cook also said the company will not sell personal information. Those choosing not to take the discount will not get targeted ads but will still have data about them tracked. “We keep your personal information only as long as needed for business, tax or legal purposes,” he said, adding, “For those that don’t (opt-in), information is safeguarded the same way.” [Forbes]

WW – Opinion: Forget Notice and Choice, Let’s Regulate Use

While there are few privacy principles more generally ingrained than that of notice and choice, Viktor Mayer-Schönberger suggests, “The naked truth is that informational self-determination has turned into a formality devoid of meaning and import.” During his IAPP Europe Data Protection Congress keynote, Mayer-Schönberger called for “a new protection mechanism. A paradigm adjustment to ensure privacy in the age of Big Data” rather than giving up on privacy. “It’s not that the data is problematic,” he said, “but how it’s being used, especially in the context of complex data analysis.” [The Privacy Advisor]. [Privacy Art]

Other Jurisdictions

AU – Amendment to Change Australia’s Privacy Landscape

Following the Australian government’s passage of the Privacy Amendment (Enhancing Privacy Protection) Act 2012, the privacy landscape will change significantly. As of March, a new set of Australian Privacy Principles will come into force, the information commissioner will see enhanced powers and credit reporting laws will change. A recent Gartner survey indicated businesses are aware and are rating privacy as a higher priority than they historically have. [Australian Security Magazine]

NZ – John Edwards Is New Privacy Commissioner

Wellington-based lawyer John Edwards has been named New Zealand’s new privacy commissioner, succeeding Marie Shroff, who served as the nation’s data protection authority for the past 10 years. As barrister and solicitor, Edwards has been practicing public law and policy for more than 20 years. Justice Minister Judith Collins said, “Mr. Edwards’ public- and private-sector experience give him a highly informed perspective on data privacy and data matching issues,” adding, “He is an acknowledged privacy expert and has a broad, practical understanding of the Privacy Act.” Shroff said the role of privacy commissioner has become increasingly demanding, the report states. Edwards will take up the new position in February. [The New Zealand Herald]

AU – Australian Privacy Amendments Carry Big Penalties

David Grace of Cooper Grace Ward advises businesses dealing with personal information to prepare to comply with Australia’s new privacy amendments. Noncompliance, he writes, carries the risk of “penalties of up to $1.7 million for breaches by corporations and up to $340,000 for breaches by individuals.” Grace continues on to describe how the Privacy Amendment (Enhancing Privacy Protection) Act 2012 “essentially rewrites the existing privacy laws,” citing the introduction of the 13 Australian Privacy Principles for the handling of personal information among other facets of the amendments and offers tips for compliance. The amendments will come into effect on 12 March. [Mondaq]

AU – ALRC Examines Right to Be Forgotten; Privacy Tort

The Australian Law Reform Commission (ALRC) is examining a “right to be forgotten” and “right and to erasure,” noting “privacy groups are demanding the right to censor other people’s posts as well, if they are embarrassing or defamatory.” However, Prof. Barbara McDonald, head of the ALRC review, noted such rights would only apply with consent. “Where a person has given consent for something to go up on Facebook, they should be able to withdraw that consent,” she said, adding, “We can’t give people the right to erase history.” Meanwhile, the nation’s mainstream newspaper publishers are refusing to assist the ALRC’s efforts to design a statutory privacy tort. []

NZ – New Zealand Official Welcomes Draft FATCA Legislation

Inland Revenue (IR) has released draft legislation to facilitate compliance with U.S. Foreign Account Tax Compliant Act (FATCA) regulations, quoting PwC New Zealand FATCA Director Henry Risk, who said, “We welcome the release of the proposed legislation by IR and the New Zealand Government. It offers a solution to the Privacy Act issue.” The legislation will allow New Zealand financial institutions to meet FATCA reporting obligations without breaching the Privacy Act, the report states. [Voxy]

HK – Commissioner Rules Fitness Center Collected Excessive Data

California Fitness has been fined by Hong Kong Privacy Commissioner for Personal Data Allan Chiang for breaching privacy law. Following an investigation, Chiang’s office found the fitness chain put 220,000 customers’ personal details at risk by asking them to provide too much personal information and by storing copies of their identity cards. A data leak could have led to identity theft, Chiang said. “It is irresponsible for organizations to collect (detailed personal) data for identification and authentication purposes without seriously assessing the risk … of using alternative and less privacy-intrusive means.” [South China Morning Post]

Privacy (US)

US – FTC Unveils Privacy Focus for 2014

The U.S. Federal Trade Commission (FTC) has announced it will host a set of three seminars to explore consumer privacy issues and “examine the privacy implications of three new areas of technology that have garnered considerable attention.” The FTC will explore mobile device tracking, alternative scoring products and consumer-generated and -controlled health data. The first seminar, focusing on mobile device tracking, will be held in February. Meanwhile, a Government Health IT report asks, “Can the FTC regulate digital health privacy?” and looks into both sides of the data security debate between the FTC and Atlanta-based health diagnostics firm LabMD. []

US – White House Must Respond to Email Privacy Petition

A petition on the White House website calls for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. [The Hill] [Petition]

US – Will GAO Report Spur Action from Congress?

Last year, U.S. Senate Commerce Committee Chairman Jay Rockefeller (D-WV) asked the Government Accountability Office (GAO) to investigate privacy issues pertaining to companies that collect, aggregate and sell personal information about consumers. In late November, the GAO publicly released the resulting report, “Information Resellers: Consumer Privacy Framework Needs to Reflect Changes in Technology and the Marketplace .” The report recommends that Congress “consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information.” Rockefeller is expected shortly to issue his own report on the topic, and the FTC is also preparing a report expected in early 2014. [Privacy Tracker]

US – O’Connor Named CDT’s President and CEO

The Center for Democracy and Technology (CDT) has announced Nuala O’Connor will head the organization. Leslie Harris, CDT president since 2005, announced in July she would resign from the post. O’Connor comes to the CDT from Amazon, where she’s worked as associate general counsel on privacy and data protection. Prior to that, O’Connor worked as chief privacy officer at the U.S. Department of Commerce and later the Department of Homeland Security before settling in at General Electric as chief privacy leader and senior counsel. She’ll lean on her past government experience in her new role and looks forward to tackling such issues as surveillance and online decision-making. [Privacy Advisor]

US – Potential Settlement Over Alleged Data-Mining Without Notice

A filing this week indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Bloomberg]

US – Study: Schools Outsourcing Student-Data Collection, Neglecting Safety

Public schools are using web-based services to collect and analyze personal details about students but aren’t providing the necessary safeguards. That’s according to a new study released by the Center on Law and Information Policy at Fordham Law School. The study looked at the contracts school districts sign to outsource such analytics. Many of the contracts “failed to list the type of information collected” and others “did not prohibit vendors from selling personal details—like names, contact information or health status—or using that information for marketing purposes,” the report states. Meanwhile, EPIC has filed a complaint with the FTC aimed at protecting student data.  [The New York Times]

Opinion: The Poor Deserve Privacy, Too

Seeta Gangadharan and Aleta Sprague report on welfare programs and the amount of sensitive data collected on recipients. The massive amounts of data are stored in potentially unsecure databases for varying amounts of time and sometimes lack permissions controls for case workers, the report states. “Poor people in the welfare system don’t have privacy,” the authors write, “and they don’t factor into broader debates on protecting individuals’ liberty and right to be left alone.” One solution, the authors suggest, is to collect less data on recipients, thereby making the system more efficient and mitigating the potential risk of data loss. [Slate]

US – PCLOB Announces New Job Openings

The Privacy and Civil Liberties Oversight Board (PCLOB) has announced it is looking to hire attorney advisors “who will assist the board in carrying out its oversight and advice functions regarding federal counterterrorism matters.” According to the official job description, many of the cases and problems that will be handled by the incumbent will “involve little or no established precedent, may present delicate legal or factual situations and may involve important Constitutional principles.” In comments provided to the Daily Dashboard, PCLOB Chairman David Medine wrote, “Thanks to the funding provided by Congress to the Privacy and Civil Liberties Oversight Board in October, PCLOB is now able to expand its staff by hiring several lawyers. These new lawyers will increase the board’s ability to oversee existing federal counterterrorism programs and provide advice on the development of new programs, in order to ensure that the need for such efforts is balanced with the need to protect privacy and civil liberties.” [USAJobs]

US – Axciom Signs First Long-Term Ad Agency Deal

One of the leading brands in the data brokering business, Axciom, has signed what AdAge is reporting as a “multi-year deal with one of the biggest media agencies in the business: Starcom MediaVest Group.” The deal allows Starcom access to Axciom’s Audience Operating System, which offers audience segmentation and targeting across online and offline media, thanks to first- and third-party data. “We believe leveraging Acxiom client data with third-party media data across any channel is going to … shape the market in years to come,” said Laura Desmond, CEO at Starcom MediaVest Group, which is part of Publicis Groupe. The deal is significant, Axciom says, because it has formerly only worked with individual brands and companies. “This Starcom partnership is a huge deal for us because Acxiom has never had in its 40-year history a relationship with an agency,” said Acxiom CEO Scott Howe. [AdAge]


US – NIST to Host Privacy Panel December 19-20

The National Institute of Standards and Technology’s (NIST) Information Security and Privacy Advisory Board is set to host a two-day, open meeting in Washington, DC, according to the Federal Register. Two main topics to be discussed are President Barack Obama’s Executive Order 13636 on critical infrastructure cybersecurity and potential incentives that should be adopted for improved cybersecurity practices. The report also features an agenda for the meetings, which includes updates on legislative proposals pertaining to information security and privacy, a discussion on cryptography and an update on the Privacy and Civil Liberties Oversight Board. []


WW – Tech Giants Urge Global Surveillance Reform

A group of top technology companies has presented a plan and published an open letter to U.S. President Barack Obama and members of Congress urging global government surveillance reform. Aol, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo together have rolled out the website to express their collected belief “that it is time for the world’s governments to address the practices and laws regulating government surveillance of individuals and access to their information.” This exclusive for The Privacy Advisor looks at the five principles presented by the group and rounds up the latest coverage of this issue as well as reports on increased local law enforcement requests of cellphone data. [Source]

US – Gov’t Gathering Five Billion Cellphone Locations Per Day

The National Security Agency’s (NSA) gathering of nearly five billion records per day on cellphone locations around the world. According to documents provided by former NSA contractor Edward Snowden, the documents’ details are stored in a vast database, and new tools to analyze the data have resulted in mass surveillance as the agency is capable of tracing cellphones globally and retracing movements. Privacy advocates have concerns about the agency’s ability to establish relationships between phone users based on such data. Chris Soghoian of the ACLU said the only way to hide your location is to “live in a cave.” Meanwhile, a Brown University panel recently discussed NSA spying and how sophisticated government agencies have become in analyzing such data. [The Washington Post]

US – Obama Panel Urging Some NSA Curbs

The New York Times reports on the conclusions of President Barack Obama’s surveillance review panel. According to the panel’s report, the NSA program collecting U.S. phone call data should continue but only under “broad new restraints” to increase privacy protections. The panel also allegedly concluded that the U.S. should codify and publicly announce the steps it’s taking to protect the privacy of foreign citizens whose phone and Internet data is collected by the NSA and create “an organization of legal advocates” to argue against government lawyers before the Foreign Intelligence Surveillance Court. Resistance to the conclusions from the NSA and others is expected, the report states. Meanwhile, Verizon Communications has taken a stance against a shareholder resolution that would require more transparency about what user data it shares with the government. AT&T recently resisted a similar shareholder resolution as well. [Full Story] SEE ALSO: [Opinion: Privacy Rules Must Not Be Ambiguous]

WW – U.S., UK Intel Infiltrates Online Gaming

New leaks from Edward Snowden revealing that the U.S. National Security Agency and the UK’s GCHQ have infiltrated large online gaming communities to gather intelligence on possible terrorist activity. According to the documents, the agencies possess massive data-collection capabilities within the Xbox Live console network—a gaming community with approximately 48 million users. Documents also reveal that if done correctly, spying within the networks could produce intelligence on users’ social networking, target identifiers such as profile photos, geolocation, biometrics and other communications. Makers of the game World of Warcraft said they “are unaware of any surveillance taking place … If it was, it would have been done without our knowledge or permission.” [The Guardian]

US – NSA Uses Ad-Tracking Tech to Locate Targets

Leaked U.S. National Security Agency (NSA) slides reveal the agency is “piggybacking” on tools used by Internet advertisers to locate potential targets for government hacking and surveillance. According to documents leaked by Edward Snowden, the NSA and the UK’s GCHQ use cookies to identify individuals. Specifically, they have used Google’s PREF cookies, which generally do not contain personal information but do include users’ e-mail addresses and numeric codes to identify their browsers, the report states. Additionally, the documents reveal that the NSA is using commercially collected data to help it locate mobile devices around the world. UC Berkeley Law Prof. Chris Hoofnagle said, “On a macro level, ‘we need to track everyone everywhere for advertising’ translates into ‘the government being able to track everyone everywhere’ … It’s hard to avoid.” [The Washington Post]

Telecom / TV

US – Groups Want Anonymized Phone Records Protected

In a petition filed with the Federal Communications Commission (FCC), privacy advocates have asked that even “anonymized” phone records be protected under the Communications Act. Section 222 of the act requires phone carriers to get customer consent before sharing data. The petitioners want the FCC “to issue a declaratory ruling that non-aggregate call records, purged of personal identifiers but with customers’ individual characteristics intact, are protected as ‘individually identifiable CPNI (customer proprietary network information)’ and phone carriers … must not sell the records without customers’ consent,” the report states. The petitioners allege AT&T violated the act by selling phone records to the Central Intelligence Agency. [PCWorld]

US Legislation

US – AZ State Sen. Wants To Ban NSA from the State

Sen. Kelli Ward (R-Lake Havasu City) says next month she will introduce legislation to prohibit state and local law enforcement from providing support to the National Security Agency (NSA) and state-owned utilities providers from providing services to NSA facilities. Ward aims to prevent warrantless surveillance of Arizona residents. Michael Maharrey, of the Tenth Amendment Center, the group that wrote the template for the bill, says Arizona is the first state to announce it will officially consider it. “That the federal government cannot force states to help implement or enforce any federal act or program is well-established in the law. It is known as the anti-commandeering doctrine,” Maharrey said. [Computerworld]

US – Candidate Wants Surveillance Protection in MT State Constitution

U.S. Senate candidate John Bohlinger (D-MT) has filed paperwork with the Montana Secretary of State that would expand the state constitution’s privacy protections to include digital data, reports KRTV News. Bohlinger is looking to get the language on November’s voter ballot, but it must first go through the legislative counsel, the Montana Attorney General’s Office and gain more than 40,000 signatures.

US – NY Sen. Proposes Changes in State’s Education Privacy Regime

New York State Sen. and State Senate Education Committee Chairman John Flanagan (R-East Northport) issued a report recommending stronger privacy protections for student data, among other initiatives. The report addresses concerns voiced during five Education Committee hearings, including third-party access to the personally identifying information of students, teachers and principals in the state’s Education Data Portal. One piece of legislation the report points to is a privacy bill “which would strengthen protections of personal information stored on the state-wide data portal, establish significant civil and criminal penalties for unauthorized disclosure of personal information and create independent oversight within SED on matters related to privacy,” Long Island Exchange reports.

US – Journalists, School Argue Over Whether Surveillance Video Is Protected Under FERPA

The Utah chapter of the Society of Professional Journalists (SPJ) has filed a brief stating that the Canyons School District has wrongfully cited the Family Education Rights and Privacy Act (FERPA) in denying access to school surveillance video footage, reports Student Press Law Center. While the school states the footage is protected because it is maintained by the school and identifies students, the SPJ says the video is not an education record and is therefore exempt from FERPA. The lawyer for the SPJ wrote in the brief that the footage “is akin to a law enforcement record, which is expressly excluded from the definition of ‘education record’ under FERPA.”

US – Petition Acquires Enough Signatures to Require White House Response

The Hill reports on a petition on the White House website calling for an update to the Electronic Communications Privacy Act (ECPA) to require police to obtain a warrant before accessing online communications. The petition reached 100,000 signatures by its December 12 deadline, meaning it requires an office response from the White House. The Justice Department said earlier this year that updating ECPA has “considerable merit” but recommended civil regulatory investigations be exempted from the warrant requirement because regulators don’t have access to the warrant power. Full Story

US – Lawmakers See Amazon Announcement as More Reason for Drone Regulation

The recent announcement by Amazon’s founder Jeff Bezos that the company expects to make deliveries by drones in the near future has given Reps. Ted Poe (R-TX) and Zoe Lofgren (D-CA) and Sen. Ed Markey (D-MA) a new hook to push bills that would regulate drone use with respect to privacy. “The issue of concern, Mr. Speaker, is surveillance, not the delivery of packages. That includes surveillance of someone’s backyard, snooping around with a drone, checking out a person’s patio to see if that individual needs new patio furniture from the company,” Poe said in front of Congress this week. [The Verge]

US – CA Court of Appeals Limits Claims, Damages Under CMIA

In keeping with previous data breach cases, the California Court of Appeal recently limited plaintiffs’ ability to state a claim and get statutory damages under the California Medical Information Act. The court ruled that “plaintiffs must plead and prove more than the mere allegation that a healthcare provider negligently maintained or lost possession of data but rather that such data was in fact improperly viewed or otherwise accessed.”The authors state the court relied heavily on “an analysis of the legislative intent behind Senate Bill No. 19.” [Law360.]

US – FTC Settles with Flashlight App Developer

The Federal Trade Commission (FTC) has settled with an Android flashlight app developer over charges that the app deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. “Brightest Flashlight Free,” developed by Goldenshores Technologies, allegedly failed to disclose within its privacy policy that it transmitted users’ precise locations and unique device identifiers to third parties. The settlement, the FTC’s first based on location data, prevents the company from misrepresenting how it collects and uses consumer data and requires it to provide a just-in-time disclosure informing consumers of how their data is used and obtain express consent. Meanwhile, a study has found most mobile apps put privacy at risk. Mobile privacy is one of three focuses for the FTC in 2014. []

US – Potential Settlement Over Alleged Data-Mining Without Notice

A recent filing indicates Comscore, which measures website traffic, will confer December 16 on settling a 2011 lawsuit alleging a privacy invasion, Bloomberg reports. In the group lawsuit, plaintiffs said the company installed data-mining software on their computers in order to collect user names, passwords and credit card numbers, the report states. The suit alleges the company did not disclose such practices in its online policies. The company has denied the allegations. [Full Story]

US – OCR Not Fully Enforcing HIPAA; Revisions Called For

A recent report from the Department of Health and Human Services (HHS) Office of Inspector General concludes the Office for Civil Rights (OCR) did not meet all of its enforcement and oversight requirements under the Health Insurance Portability and Accountability Act (HIPAA). According to FierceHealthIT, the report criticizes the OCR for not completing privacy impact assessments, among others, for two of three systems that oversee the Security Rule. Meanwhile, the Health IT Policy Committee has recommended HHS revise certain delayed plans to revamp the HIPAA accounting of disclosures rule and roll out pilot tests prior to implementing a final rule. Additionally, the Bipartisan Policy Center has issued a report stating that HIPAA is “misunderstood, misapplied and over-applied” and is burdensome toward improved patient care. [Full Story]

US – State AGs: The Most Important Regulators in the U.S.?

The last year was an eventful one in the area of data and online privacy, with more laws, more enforcement actions and generally increased attorney general scrutiny. Given that we are not likely to see federal preemption of state authority in this area anytime soon—and that the Federal Trade Commission (FTC) is encouraging state action on data privacy—it remains critical that privacy professionals expand their focus beyond the FTC and data protection authorities to consider AGs, who are rapidly becoming the most important data privacy regulators around, write Divonne Smoyer  and Aaron Lancaster. In this exclusive for The Privacy Advisor, Smoyer and Lancaster look back at 2013 to make predictions for the year ahead. [Full Story]

US – Where the FTC is Headed in 2014

On Capitol Hill, all four FTC commissioners testified before a House Energy and Commerce subcommittee to defend their regulatory role and ask for more authority in the rapidly developing digital economy. According to Politico, the commissioners faced tough questions from the Republican-dominated subcommittee on its current budget, resources and authority, but FTC Chairwoman Edith Ramirez said her agency is limited in its current authority and that baseline federal privacy legislation is needed. The scope of the FTC’s authority, the privacy issues with which it’s grappled and the day-to-day work of its staff on consumer privacy issues were also the focus during Wednesday’s IAPP Practical Privacy Series in Washington, DC, reports The Privacy Advisor , including remarks by Rep. Marsha Blackburn (R-TN) and FTC Bureau of Consumer Protection Director Jessica Rich. The FTC also last week announced it will host a set of three seminars to explore consumer privacy issues The first seminar, focusing on mobile device tracking, will be held in February. [Full Story]

US – Legal Reform Needed in U.S., Not Just Europe

“I recall that in the early 1990s and early 2000s, it was often a struggle to get people outside of Europe to take EU data protection law seriously,” writes Wilson Sonsini Partner Christopher Kuner, adding, “The perceived lack of enforcement in the EU, and the dynamic legislative climate in the U.S., meant that more attention was given to U.S. developments.” But now, with the advent of the European Commission’s proposed General Data Protection Regulation, the situation is reversed and “U.S.-based lobbyists have descended in hordes on the EU institutions,” making Brussels “the center of the global privacy world.” In this Privacy Perspectives post, Kuner asks, “Why doesn’t the U.S. work as hard to improve its own privacy law as it does to lobby for changes in the EU?” He makes the case for why, when lobbying for privacy reforms, the U.S. should look in the mirror. [Full Story]

US – Google Wins Dismissal in Privacy Policy Case

Google has won its dismissal of a lawsuit challenging its privacy policy, which allows it to combine user data across its different products. U.S. Magistrate Judge Paul Grewal ruled the plaintiffs failed to prove they had suffered losses as a result of Google’s actions, but he also ordered the plaintiffs can refile their claims. “A plaintiff must do more than point to the dollars in a defendant’s pocket,” Grewal wrote in his ruling. In order for the suit to move forward, the plaintiffs have to demonstrate how Google’s use of their data “deprived the plaintiff of the information’s economic value.” [Bloomberg]

US – ALEC Publishes Model Bill for State Education CPOs

The American Legislative Exchange Council (ALEC) is promoting a model bill that would require state school boards to appoint a chief privacy officer and publish an inventory of student data collected by the state, among other requirements, reports Education Week. The bill was modeled after a recently passed Oklahoma law, and while other advocacy groups are praising ALEC’s efforts, they have expressed concerns about the lack of limits placed on noneducational use of the data. “Focusing on transparency and accountability is always a good start, but I’m not sure that (the ALEC model bill) is comprehensive in covering the education-technology landscape,” said Joni Lupovitz of Common Sense Media. Editor’s Note: The IAPP’s Privacy Tracker blog featured a post highlighting a similar model bill earlier this fall. [Full Story]

Workplace Privacy

EU – Revelations That Ikea Spied on Its Employees Stir Outrage in France

The New York Times reports on the range of internal and personal investigations generated by IKEA’s France-based stores. A regional court in France is now looking into whether company executives in France violated national law by ordering personal investigations of hundreds of individuals over a 10-year span. Investigations were conducted by the company for several reasons, including job applicant background checks, cases against employees accused of wrongdoing and ways to counter consumer complaints brought against the company in courts, and, according to the report, IKEA France approved more than 475,000 euros for the hiring of private investigators. A lawyer representing one plaintiff in the case said, “It is hard to conceive that this kind of thing happens in a democratic society like France … This is not Soviet Russia.” [The New York Times]




16-30 November 2013


WW – Advancements in Facial Recognition Raise Privacy Questions

Facial recognition technology is rapidly evolving, “using frame-by-frame video analysis to read subtle muscular changes that flash across our faces in milliseconds, signaling emotions like happiness, sadness and disgust.” While there may be benefits to such face-reading software—such as recognizing confusion on the face of an online student and offering tutoring options—one U.S. privacy attorney notes such technology raises concerns. “The unguarded expressions that flit across our faces aren’t always the ones we want other people to readily identify,” Ginger McCall said, adding, “Private companies are developing this technology now. But you can be sure government agencies, especially in security, are taking an interest, too.” [New York Times]

US – Franken Wants Users Protected Against Facial Recognition ASAP

Sen. Al Franken (D-MN) has asked the Commerce Department to facilitate a discussion between tech companies and privacy advocates on facial recognition technology. In a letter to the Commerce Department’s National Telecommunications and Information Administration this week, Franken said the tech community should develop best practices “as quickly as possible” to protect individuals when it comes to the technology. “The urgency of this matter is underlined by Facebook’s recent expansion of its facial recognition database—already likely the largest in private hands,” Franken wrote, referring to Facebook’s recent update to its data-use policy that states it will use public profile pictures to identify users in other photos. [The Hill]


CA – Stoddart Departing Commissioner’s Post

Privacy Commissioner Jennifer Stoddart’s departure from office and the work she did while there, including taking on big companies like Google and Facebook in defense of Canada’s privacy laws. She’s also been an “outspoken critic” of how the federal government handles and protects Canadians’ personal information and has called for an update to the Privacy Act and the Personal Information Protection and Electronic Documents Act. Stoddart recently gave an exit interview in which she discussed the problems Canada faces, including protecting privacy rights in the face of new technologies such as drones and facial recognition. Assistant Privacy Commissioner Chantal Bernier will step up as interim privacy commissioner until Stoddart is replaced. [Postmedia News]

CA – Commissioner Supports Call for CSC Audit

Correctional Investigator Howard Sapers has recommended Correctional Service Canada “conduct an internal audit of its practices and procedures to protect personal information,” and that call has prompted a statement of support from Privacy Commissioner Jennifer Stoddart. “We are very pleased that the correctional investigator has called for an internal audit,” Stoddart’s statement reads. “Year after year, our own office has identified serious privacy concerns with respect to Correctional Service Canada (CSC).” The statement notes the CSC “consistently accounts for the largest number of complaints received by our office”—with 284 received in 2012-2013. [Canada NewsWire]

CA – Journalists Concerned About Bill C-461

Journalists and broadcasters are raising concerns that Bill C-461 “could undermine the journalistic and programming integrity of Canada’s public broadcaster, the CBC/Radio-Canada.” In a statement, the journalists cite multiple concerns, including that it “opens the door to privacy requests that could also jeopardize the CBC’s journalistic integrity.” The report suggests, “C-461 changes the Privacy Act by removing the CBC’s right to exclude privacy information collected for reasons of journalism and instead makes disclosure of that information subject to a test of injury to the CBC’s ‘independence.’” [CNW]

CA – What Does Unconstitutional Ruling Mean for Alberta Privacy Law?

In the wake of news that the Supreme Court of Canada has deemed the Alberta Personal Information Protection Act (PIPA) unconstitutional, Shaun Brown analyzes what the decision means for the province. “It was inevitable that freedom of expression would eventually clash with privacy legislation in the courts,” writes Brown, adding that the ruling was “not surprising.” The broad “prohibition-first” approach of PIPA means “there are bound to be certain purposes that maybe should be exempted from the requirement to obtain consent but could not be conceived by legislatures when privacy laws were initially drafted,” Brown writes. [Privacy Tracker]

CA – Cyber-Bullying Bill Revives Bill C-30 Controversy

A tough new law on cyberbullying is putting a spotlight on the Conservative government’s sweeping approach to strengthening police investigative powers. The proposed law was introduced Wednesday, and is reviving the controversy around the previously withdrawn Bill C-30. “Regrettably, the federal government is using this pressing social issue as an opportunity to resurrect much of its former surveillance legislation, Bill C-30,” said Ontario Information and Privacy Commissioner Ann Cavoukian, suggesting the new bill gives police surveillance powers that pose a risk to privacy. Meanwhile, Minister of Justice and Attorney General Peter MacKay has denied the “new anti-cyberbullying bill will do an end-run around legitimate Internet privacy protections.” [The Globe and Mail]

CA – Supreme Court to Hear Gun Registry Appeal

The Supreme Court has decided it will give Quebec’s government a final chance at making a case for preserving gun registry data. In June, the Quebec Court of Appeal ruled the province “has no property right in the data,” noting “its existence in a registry infringes the right to privacy,” the report states. “For the moment, we’re satisfied with the situation, and we’re preparing for the eventual creation of a Quebec arms registry,” said Stéphane Bergeron, Quebec’s public safety minister. Federal Public Safety Minister Steven Blaney issued a statement, however, that the Conservative government “will vigorously defend our legislation, adopted by Parliament, in front of the Supreme Court.” [The Globe and Mail]

CA – Opinion: Saskatchewan Should Look to Neighbours

Attorney Greg Fingas writes about Saskatchewan’s lack of provincial privacy law, noting that while it has managed to skirt the issues some of its neighbours have come up against, its citizens may not be getting the level of privacy protection they want. Federal law offers some protection to Saskatchewan residents, and Fingas says “it’s possible that our current privacy protection is sufficient. But given an ideal opportunity to ask what protection we expect for ourselves, we should keep an eye on our neighbours’ choices rather than avoiding the question entirely.” [Leader Post]


US – Are Notice and Consent Still Relevant for Internet of Things?

Stakeholders met in Washington, DC, to explore and hash out the privacy and security implications of the Internet of Things (IoT). The rapidly emerging landscape of connected sensors and embedded technology has garnered the attention of the FTC of late, but the complexity of the IoT ecosystem was readily apparent during yesterday’s proceedings. Jedidiah Bracy covers the event and looks at calls for a new privacy paradigm around the Fair Information Practice Principles and the need for even more robust privacy design initiatives. [The Privacy Advisor]

WW – User Privacy Perceptions Could Cause Harm

A new study suggests that, though a majority of users believe they have responsibility to protect their privacy, most do not take steps to actually protect it. The disconnection between users’ attitude toward privacy accountability suggests that consumers’ perception is more ideological than practical, said Stephen Cobb, a senior security researcher at ESET, the organization that commissioned the Harris Interactive survey of more than 2,000 U.S. adults. “What I think people lack are the resources and education to follow all the way through with (protecting information),” he said, adding, “The average American adult isn’t going to walk through the door well-prepared to protect that company’s information … They need help. They need education.” [Network World]


US – Judge Who Ruled Against Google To Hear Yahoo Case

Following her ruling against Google’s request to dismiss a privacy lawsuit accusing it of using personal information gleamed from e-mails transmitted via Gmail, U.S. District Judge Lucy Koh is being sought after to hear similar lawsuits against Yahoo. The lawyer who filed a November 15 complaint against Yahoo says Koh’s recent ruling against Google’s request to dismiss the suit against it was “enormously important” for plaintiffs in group privacy suits. Yahoo has requested that three complaints filed against it be combined in an effort to minimize the labor or costs associated should the case be heard by three different judges. Separately, Yahoo has announced that following revelations that the NSA had accessed its data centers, it will add encryption to all of its products by spring 2014. [Bloomberg]

Electronic Records

WW – Hartzog and Selinger: Maybe We Need More Specific Terms

Woodrow Hartzog and Evan Selinger discuss some of the myths around Big Data and the importance of using the term correctly. Skepticism is important in order to help society set realistic expectations, the authors write, but like the concept of “privacy,” the term “Big Data” itself is problematic because “it has no set meaning.” At some point it will be important to assign specific terms, rather than “heuristic terms”—or “mental shortcuts” developed to make sense of complex ideas quickly—in order to accurately discuss such concepts as Big Data, the authors write. [Forbes]


US – Lavabit Files Reply Brief in Appeal

Lavabit’s legal team has filed its reply brief in its case appealing the US government’s authority to demand the company’s master encryption key. The outcome of the case will decide whether an Internet company can be compelled to surrender master encryption keys when entities are seeking information about a single user. According to Lavabit’s brief, “the government has no general entitlement to search through the information of an innocent business.” [WIRED]

WW – Google Beats SSL Upgrade Deadline

Google has fulfilled its commitment to retire 1,024-bit encryption keys ahead of the scheduled target of the end of this year. Google has now replaced all certificates for its online services with new, 2,048-bit SSL certificates. The company is also taking steps to encrypt traffic between its data centers. [CNET]

EU Developments

EU – Commission Gives U.S. 13 Ways to Save Safe Harbor

The European Commission has released its report on EU-U.S. data flows, including a critique of the widely-criticized Safe Harbor framework , which makes 13 recommendations to improve the data-transfer mechanism. The commission says U.S. authorities have until summer of 2014 to implement the recommendations, at which point it will revisit the review. U.S. Federal Trade Commissioner Julie Brill said she’s pleased the commission has indicated its support for maintaining Safe Harbor as a data transfer mechanism. “I think some of the recommendations—increasing transparency and making alternate dispute resolution accessible and affordable—would be helpful.” Dutch MEP Sophie in ‘t Veld said that while she’s pleased there’s progress, the report is long overdue. “Maybe we’re now finally entering the phase where we no longer tolerate that our own EU rules are being overruled by third countries’ laws,” she said. Covington & Burling’s Henriette Tielemans said the report indicates a “genuine willingness on the part of the commission” to save Safe Harbor. [The Privacy Advisor]

EU – Safe Harbor Report Could Be the Start of Real Privacy Interoperability

According to Field Fisher Waterhouse Partner Eduardo Ustaran, the European Commission’s report on Safe Harbor lived up to expectations of being “critical” of the agreement but stopped short of “delivering a fatal blow to the scheme.” Ustaran writes for  that false claims of compliance with Safe Harbor “appear to be a greater concern than the potential vulnerability of Safe Harbor as a conduit to allow U.S. intelligence authorities to access data originating from the EU,” adding, “In other words, the European Commission is not really seeking to turn Safe Harbor into a data bunker…” [Privacy Perspectives]

EU – Brussels to Warn U.S. of Safe Harbor Risk

Lawmakers in Brussels are set to officially warn Washington that Safe Harbor may be at risk unless U.S. tech businesses change the way they handle the data collected on EU citizens, Financial Times reports. The European Commission (EC) has been reviewing the Safe Harbor pact and is slated to announce its conclusions on Wednesday. According to the report, the EU is not expected to scrap the deal, but its wording suggests the EU will move in that direction if changes are not made by U.S. businesses. “The personal data of EU citizens sent to the U.S. under the ‘Safe Harbor’ may be accessed and further processed by U.S. authorities in a way incompatible with the ground on which the data was originally collected,” the draft version of the EC report states. “The commission has the authority … to suspend or revoke the Safe Harbor decision if the scheme no longer provides an adequate level of protection.” [CNBC]

EU – Cookie Monsters of Silicon Valley Come to Brussels

In the world of online tracking, the cookie is king—but there may be a regime change on the horizon. Cookies are under more regulatory scrutiny than ever, especially in Europe, but even as legislation seeks to make cookie use more privacy protective, the technology itself is on the way out. Instead, server-side tracking alternatives and embedded device identifiers, mainly in the hands of Internet giants like Google, Facebook, Microsoft and Apple, are poised to supplant cookies in the digital tracking market. Thus, it is important to analyze the effect of these changes in the techno-business landscape on the EU regulatory framework. IAPP Westin Research Fellow Kelsey Finch examines how this new technology is likely to be viewed and regulated in the European Union. [Full Story]

EU – Berlin Now Home to Privacy Activists, Leakers

Germany’s once-divided city of Berlin has become a haven for privacy activists and whistleblowers attempting to avoid prosecution from countries such as the U.S. and UK. Documentary filmmaker and Edward Snowden conduit Laura Poitras has made Berlin home, as has former Wikileaks spokesman Jacob Appelbaum. One privacy activist said, “It’s a rather inviting social climate right now … Why be completely paranoid, go mad, have your house surveilled? There’s a reason people are coming here.” [The Washington Post]

EU – Safe Harbor’s in Trouble—Unless You Ask the U.S.

The U.S. Department of Commerce says Safe Harbor is still viable, and the FTC says it has rigorously enforced compliance with the data-transfer mechanism. But privacy regulators and politicians from European countries—Germany in particular—seem hell-bent on putting an end to the agreement and are calling the U.S.’s bluff everywhere but on paper. So far. Angelique Carson talks with FTC Commissioner Julie Brill, the U.S. Department of Commerce, Covington & Burling’s Henriette Tielemans and Wilson Sonsini Goodrich & Rosati’s Christopher Kuner, both in Brussels, about the impact of new accusations that as many as 400 companies are violating Safe Harbor and what to expect in the European Commission’s December report on the pact’s viability. “I can’t overstress the hostility toward it here,” Kuner said. [The Privacy Advisor]

EU – Reding: U.S. Must Allow Europeans to Sue Agencies That Violate Privacy

EU Justice Commissioner Viviane Reding says the U.S. can win back EU trust by allowing EU citizens the right to sue U.S. agencies that violate their privacy. Reding said today’s meeting between EU and U.S. officials must make progress toward enforceable rights. Meanwhile, the U.S. Supreme Court has rejected a challenge of the National Security Agency’s telephone spying program, and two district courts will hear challenges to NSA snooping. In Luxembourg, Europe v. Facebook wants more specific answers on the federal data protection commissioner’s ruling that Microsoft and Skype did not break privacy law by transferring EU user data back to the U.S. [Bloomberg]

EU – EU Parliament could block data sharing with the US

After EU Justice Minister Viviane Reding was making positive noises about a deal with the U.S. on law enforcement access to data, MEP Jan Philip Albrecht said that there is a line in the sand the EU Parliament will not cross: “If a U.S. citizen has a problem with how his data has been treated in the EU, he can take it up with an EU court. We just want the same rights in the U.S. This should be possible. It would be very easy to fast-track change in the U.S.’s privacy act and simply add text to include EU citizens.” [Full Story]

EU – Opinion: Data Community Must Influence Law

“It is essential … that the information security community not only make the effort to be aware and prepare but also recognise and exert influence over” the eventual EU data protection legislation, writes Yves Le Roux of (ISC)2. Pointing to the lack of technical feasibility of the right to be forgotten, Le Roux writes that privacy pros and others need to speak up about such elements of the law that may not be practicable, noting that the IAPP Europe Data Protection Congress provides an opportunity to do just that. [Computerworld]

EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Department in Washington. Prior to the meeting, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]

EU – German Court: Google Rules Violate User Rights

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]


EU – French Court Orders Search Engines and ISPs to Block Pirate Sites

A French court has ordered major search engines to block 16 video-streaming websites. Google, Microsoft, and Yahoo must prevent the sites from appearing in their search results. The order also applies to several Internet service providers (ISPs) used by residents of France, which will have to prevent users from accessing those sites. Some of the plaintiffs in the case told the judge that merely ordering a block on the sites would prove ineffective because the people behind the pirate sites would just re-create the sites with new names. Wiley Rein’s David Weslow says if the decision is upheld on appeal, “there may be a precedent in France for forcing search engines or other types of Internet service providers to take affirmation actions to disable certain online content even where a ‘take down’ request has not been filed with that Internet service provider.” A recent poll about whether government should play an increasing role in protecting online privacy indicated 52% voted yes and 48% voted no, indicating “there is not overwhelming agreement” on what should be done,, adding tech companies and governments should be prepared to weigh in. Meanwhile, Google says it will voluntarily remove a Google Maps image related to a young boy’s murder. [TechRepublic]  [BBC] [WIRED]


WW – Coin Addresses Some Critics’ Concerns

When Coin released information about its all-in-one digital credit card last week, some critics voiced concern about the technology’s security and reliability issues. For example, some wondered how securely the credit card information is stored and whether the device could be used as a card skimmer. Others expressed concern that the device would not work if the associated phone is out of power, and wondered whether or not merchants would be willing to accept Coin for payments. Coin has announced some changes, including a method for reactivating the device even if users’ phones are out of battery. Coin will also lock onto the payment method users have chosen to avoid accidentally switching to other payment methods stored in the device. The company says that the stored card information is encrypted. [CNN]


EU – Dutch DPA Says Google Policy Violates Law

Dutch Data Protection Commissioner Jacob Kohnstamm has found Google’s privacy policy “violates data protection law by spinning an ‘invisible web’ with users’ personal data without their consent,” Bloomberg reports. Kohnstamm said the policy, which combines Internet users’ data from various Google services, is “forbidden by law.” He added that he will decide on possible penalties after a hearing with the company. Google says its privacy policy “respects European law” and allows it to create “simpler, more effective services.” Meanwhile, Germany’s SAP has rejected politicians’ calls for European IT firms to band together following U.S. NSA spying revelations, saying the plan would be “doomed to fail from the outset.” [Bloomberg]

US – Google to Pay $17M to Settle Cookies Case

Google has agreed to pay $17 million in a settlement with 37 states and the District of Columbia “over its unauthorized placement of cookies on devices running Apple’s Safari browser,” following Google’s agreement last year to pay a $22.5 million civil penalty to the FTC. In their case, the state attorneys general alleged “Google’s circumvention of Safari’s default privacy settings violated state consumer protection and related computer privacy laws,” the report states. A Google spokeswoman said, “We work hard to get privacy right at Google and have taken steps to remove the ad cookies, which collected no personal information, from Apple’s browsers.” [IDG News Service]

EU – Court: Google Rules Violate User Rights

A German court has ruled that 25 provisions in Google’s data protection rules violate user rights and German law. The Federation of German Consumer Organizations (VZBV) brought the case, arguing the clauses are too vaguely formulated. Google says it will appeal the ruling, stating it believes its “terms of service and privacy policy comply with all applicable laws.” VZBV has been targeting large corporations’ data practices, including Apple and Samsung, since 2012, winning judgments against their policies in Berlin courts. [Bloomberg]

EU – Complaints Over Google Terms of Service Filed in 14 Countries

Privacy advocate Simon Davies has filed complaints with 14 European data protection authorities stating that Google’s new terms of service violate European data protection law. The main issue involves changes to the “shared endorsements” feature, which allows Google+ users’ names and photos to be used in advertising for products they follow on the service. “The general position is that the ground rules shouldn’t be changed halfway through the match. Google acquired the data under one condition, and I’m asserting that it cannot change the purpose of that data after the fact,” Davies said. Davies’ other challenges target the feature’s opt-out mechanism and changes in the way users are required to interact with YouTube. [PCWorld]

Health / Medical

US – Debunking Three Cyber Insurance Myths

“In the past, cyber insurance was a polarizing issue in my discussions with privacy and risk professionals,” writes Experian Data Breach Resolution Vice President Michael Bruemmer, “Some professionals were adamant about the benefits of cyber insurance, while others worried that the policies currently on the market didn’t meet its needs or were too costly.” Bruemmer debunks three of the most common myths associated with cyber insurance and examines why small- and medium-sized businesses are not off the radar of hackers and other cyber thieves. [Privacy Perspectives]

Horror Stories

WW – Breaches Hit Health Exchanges, Anthem and More

Los Angeles Times reports that Anthem Blue Cross accidentally posted online the Social Security numbers (SSNs) and tax identification numbers of approximately 24,500 doctors. The data was mistakenly published within an online directory last month. Meanwhile, GovInfoSecurity reports on three breaches involving health insurance exchanges, including in Vermont and Oregon. In a separate report, the Office of the National Coordinator for Health IT Chief Privacy Officer Joy Pritts discusses two essential steps organizations should take to help mitigate data breaches. More than 1,000 patients at California’s Redwood Memorial Hospital have been notified their personal information may have been compromised after an unencrypted USB drive was misplaced. Crown Castle has revealed that sensitive payroll data of its U.S. employees has been accessed by hackers. After a data breach affecting several city workers, the city of Milwaukee has said it will avoid using SSNs . And representatives from Adobe have said e-mails notifying those affected by a massive breach are taking longer than it anticipated. [L.A. Times]

WW – Breaches Affect School, Dating Site, Health Plan

A New York school district is alerting thousands of students and their parents of a security breach that saw some of their data posted online. A list of 15,000 names and school ID numbers were posted. Meanwhile, Anthem Blue Cross has begun notifying customers that their names, business addresses and tax ID numbers were posted to the company’s website this month. And online dating service company Cupid Media suffered a breach in January this year exposing names, e-mail addresses and passwords in plaintext. In an opinion piece for Dark Reading, Robert Lemos warns that cloud data is increasingly vulnerable to hacks. [Newsday]

US – Cupid Media Data Breach Affects Millions of Accounts

A data security breach at online dating network Cupid Media has exposed personal information from 42 million accounts. The compromised data include email addresses and unencrypted passwords. The data theft was discovered because it was stored on the same server where attackers had stored data stolen from Adobe, PR Newswire, and several other organizations. The Cupid Media breach apparently occurred in January 2013, and users were notified. The Australia-based company operates more than 30 specialized dating websites. [ComputerWorld]

Identity Issues

US – Screen Actors Guild Sides Against Amazon in Privacy Dispute

The Screen Actors Guild (SAG) has announced it is supporting an actress’s privacy suit against The SAG said the company “committed an unconscionable breach of trust” when it accessed actress Junie Hoang’s credit card information to determine and publicize her real birthdate. “Individual IMDb profiles contain information that most people would consider private and that can be used for improper purposes,” the SAG wrote in an amicus brief to the Ninth Circuit Court of Appeals. [MediaPost]

Internet / WWW

WW – UN Passes Internet Privacy Resolution

The United Nations General Assembly’s Human Rights Committee has unanimously approved an unlawful surveillance resolution originally proposed by Brazil and Germany. Though symbolic, the resolution looks to pass along privacy rights to people around the world. The U.S., along with the other “Five Eyes” nations, had tried to dilute some of the resolution’s language, the report states. Brazil’s UN ambassador said the resolution “established for the first time that human rights should prevail irrespective of the medium and therefore need to be protected online and offline.” Germany’s ambassador queried, “Is the human right to privacy still protected in our digital world? And should everything that is technologically feasible, be allowed?” [Associated Press]

EU – EDPS: Telecoms Market Reform Plan Would Put Privacy at Risk

New net neutrality laws would mean Internet users’ privacy rights would be at risk, according to the European Data Protection Supervisor (EDPS). The European Commission’s telecoms market reform plans would allow Internet service providers to engage in “wide-scale, preventive monitoring of communications content,” an affront to data privacy and protection as well as consumer trust in electronic communication services, the EDPS said. []

WW – Facebook Forges Ahead with Planned Changes

While Facebook has moved forward with changes to its privacy policies alerting users it may use their profile pictures, location and other personal information in advertisements, the company has deleted a controversial line in the policy on teens’ use of the site. The line stated Facebook assumed teens had obtained permission from their parents, drawing the ire of critics including Sen. Ed Markey (D-MA), who said Facebook should not profit from the personal information of children and teens. Facebook Chief Privacy Officer Erin Egan said, however, that the company wouldn’t gain additional rights as a result of the statement; rather, it was meant to get kids and their parents discussing the terms, The Washington Post reports. [Washington Post]

Law Enforcement

EU – Things Looking Up for U.S./EU Relations on Law-Enforcement Access?

U.S. Attorney General and Acting Secretary of the Department Homeland Security Rand Beers met yesterday with EU Justice Commissioner Vivane Reding, Lithuanian Justice Minister Juozas Bernatonis and other EU officials at the Justice Deparetment in Washington. Prior to the meeting, reports Bloomberg, Reding spoke of a new accord between the U.S. and EU that would “contribute to restoring trust in trans-Atlantic relations, which is of particular importance at this moment in time” (you can see Reding’s speech here). Later, in an interview with DW, Reding said the EU is “negotiating a framework agreement to protect the data of European and American citizens when there is judicial and police cooperation between the two continents.” Officials on both sides agreed to seek a new accord by mid-2014. [Bloomberg]


AU – Pilgrim Discusses New Powers

Privacy Commissioner Timothy Pilgrim said his office “won’t take a ‘softly-softly’ approach with new regulatory powers that will become available to it in March.” Pilgrim said “The two sets of principles we have are fundamentally very similar to the ones that are coming into place. The private sector has been working with them for over 12 years; the government has been working with them for over 25 years; there’s a common theme, so there shouldn’t be a big challenge in complying with them.” He noted, however, that for “difficult organisations and some intransigent organizations,” the office would take a stricter stance. Meanwhile, the Australian Law Reform Commission will be recommending updates to privacy laws to address serious invasions of privacy. [IT News ull]

HK – Critics Say Hong Kong Data Protection Law Needs Update

Critics of Hong Kong’s data protection law say the law is “miles away” from comparable laws internationally and needs an update in order for the city to tackle privacy challenges and embrace opportunities presented by public data use,. Reviews of the law have come following the privacy commissioner’s forced shutdown of mobile app “Do No Evil” for privacy violations. “There is a need to conduct a public consultation again to see whether people think the law now needs to be amended,” said lawmaker Charles Mok, adding he hopes the government will engage the public. [South China Morning Post]

SA – South Africa: Zuma Signs Privacy Bill Into Law

South African President Jacob Zuma’s administration announced on Wednesday that he has signed the Protection of Personal Information Bill into law. “The act will give effect to the right to privacy, by introducing measures
to ensure that the personal information of an individual is safeguarded when it is processed by responsible parties,” said presidential spokesman Mac Maharaj. The bill contains eight principles that express the right to privacy provided in the constitution and establishes the Office of the Information Regulator, which will take over responsibility for the Promotion of Access to Information Act. [Global Post]

IN – India’s Privacy Bill to See Further Delay

Differences between the ministries of Home and Law and the Department of Personnel and Training mean the Right to Privacy Bill has little chance of being tabled in this winter’s session of Parliament. The bill was originally proposed in 2011 and aims to “safeguard security interests of all affected individuals whose personal data has or is likely to have been compromised by such a breach.” Causing the divide is a provision stating the proposed law will supersede all provisions of the 58 existing laws that touch on privacy, Economic Times reports. An official at the Department of Personnel and Training told ET that the bill has been “stuck at the law ministry for several months now.” [Indian Express]

Online Privacy

WW – Viral Video Exposes Privacy Disconnect

A video went viral last week in which the host, Jack Vale, decided he wanted to know “how easy it would be to get personal information from complete strangers.” Vale located nearby social media users by using his own location and identifying nearby users who publicly posted basic personal information. It turned out that identifying and gleaning additional personal data was relatively simple. Privacy Perspectives explores the experiment, looking at “what seems to be a common disconnect between our online and offline lives” and possible lessons for online businesses. [Full Story]

WW – Browser Extension Allows Users to Use “Fake” Identifiers

U.S.-based Abine is adding features to its anti-tracking browser extension to allow users to hide their personal details during web transactions. The features are being added to “DoNotTrackMe,” an extension for browsers such as Firefox, Internet Explorer, Chrome and Safari. Users can give a one-time credit card number and a disposable e-mail address and phone number, the report states, rather than using their real details. [PC World]

Other Jurisdictions

AU – Final Set of APPs Released for Comment 

The Office of the Australian Information Commissioner (OAIC) has released the final set of Australian Privacy Principles (APPs). APP 12 and 13 cover access to and correction of personal information and require organisations to give consumers access to the information organisations hold on them and to take reasonable steps to correct information as well as “contact other organisations that hold the same information about a person so that they can update these details,” the report states. The consultation period is open until 16 December. [ComputerWorld]

MY – Long-Delayed Malaysian Data Protection Law Now In Effect

Passed originally in 2010, Malaysia’s Data Protection Law is now actually in effect, after years of postponements. The Malaysian Minister of Communications and Multimedia announced on November 14 that the law would go into effect the next day, leaving professionals to scramble to make sure they are in compliance. Major features of the law include: An exemption for Malaysia’s federal and state governments, a category of personal data that is considered so sensitive that it requires explicit consent, cross-border transfer restrictions and criminal penalties of up to $156,000 and imprisonment of up to three years. [Hunton & Williams’ Privacy and Information Security Law Blog]

Privacy (US)

US – Site Settles After State Alleges COPPA Violation 

New Jersey has reached a settlement with a California app developer who allegedly violated COPPA by collecting the personal information of customers, which included children. Dokogeo has agreed to pay the state $25,000, but that payment will be suspended for 10 years and voided if the company complies with the settlement’s terms, which include Dokogeo’s disclosure of the type of information it collects on its apps and website and how it shares data with third parties. Meanwhile, attorneys at Reed Smith discuss the increasing attention state Attorneys General are paying to privacy lately. []

US – Apple Wins iPhone Privacy Lawsuit Dismissal

A federal judge has dismissed a lawsuit that accused Apple of not complying with the privacy promises it makes to iPhone and iPad users. The class alleged the company violated its privacy policy by allowing unique identifiers to be shared with third parties, thereby compromising user privacy. U.S. District Court Judge Lucy Koh ruled consumers failed to show they had read the privacy statements prior to purchasing the devices and none had submitted evidence they “read or relied on any particular Apple misrepresentation regarding privacy.” [MediaPost]

US – Data Broker Settles With NJ Attorney General

A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police. [InformationWeek]

US – ProPublica Hires Angwin to Investigate Privacy Issues

ProPublica has announced the hiring of investigative journalist Julia Angwin of The Wall Street Journal to cover privacy, technology and the surveillance state beginning early in January. Beginning in 2010, Angwin led a team of reporters to chronicle online privacy issues in The WSJ’s “What They Know” series. She is also the author of the forthcoming Dragnet Nation: A Quest for Privacy, Security and Freedom in a World of Relentless Surveillance. “Julia brings with her a magnificent portfolio of work, and she will be a stellar addition to our staff,” said ProPublica Managing Editor Robin Fields. [ProPublica]

US – Opinion: NSA Dragnet “Violates the Spirit of Framers’ Intentions”

Sens. Ron Wyden (D-OR), Mark Udall (D-CO) and Martin Heinrich (D-NM) write that, “The bulk collection of Americans’ telephone records—so-called metadata—by the National Security Agency (NSA) is, in our view, a clear case of a general warrant that violates the spirit of the framers’ intentions.” The senators opine that there’s no proof of the program’s usefulness in protecting national security and call for an end to it while promoting their Intelligence Oversight and Surveillance Reform Act and expressing disappointment with the Intelligence Committee for rejecting the act in multiple forms. Meanwhile, some are questioning the credibility of the Review Group on Intelligence and Communications, which will soon deliver a report on the NSA’s surveillance activities, saying it is made up of administration insiders. [The New York Times]

WW – Twitter Encrypts; Zuckerberg Says Gov’t “Continuing to Blow It” on Privacy

Twitter has announced it has encrypted its services to protect user data from cyber criminals and intelligence agencies. Lawyers for Lavabit—which closed its e-mail services rather than share master encryption keys with the government—have filed a reply brief in a case that may determine whether a company must be compelled to turn over such keys. Lavabit Founder Ladar Levison recently spoke about his experience with The Privacy Advisor. Meanwhile, the NSA’s John Inglis said he is skeptical about the NSA sharing the vast troves of data it collects with other federal agencies such as the FBI or DEA—indicating he does not agree with a reform bill proposed by Sen. Diane Feinstein (D-CA). The Wall Street Journal reports that a federal judge appears to be “receptive to critics” of the NSA’s collection of phone metadata, but one federal lawyer has argued that Americans have “no expectation of privacy” in making phone calls. And on ABC’s This Week , Facebook CEO Mark Zuckerberg said the U.S. is “continuing to blow it” on privacy issues. [Full Story]

US – BBB: Ad Campaign Violated Industry Code

The Better Business Bureau has said a genetic testing company’s recent online ad campaign didn’t comply with the ad industry’s privacy code. Company 23andMe retargeted users who had visited 23andMe’s website, according to the report, but the ads lacked the AdChoices icon, which allows users to opt out of behavioral advertising. The company as well as its ad-campaign agency and the platform used all said they expected the other to serve the icon. The failure “highlights the need for greater awareness and vigilance from all companies that comprise this diverse and interdependent ecosystem,” the Better Business Bureau said in a statement. [MediaPost News]

US – FTC Announces New Chief Technologist, Senior Advisor Privacy/Security

The FTC has announced the appointments of Harvard University Prof. Latanya Sweeney as chief technologist and University of Pennsylvania Wharton School Assistant Prof. Andrea Matwyshyn as a senior policy advisor on privacy and data security issues. “I am delighted to welcome Latanya to the FTC. She has done groundbreaking work in the anonymization of sensitive consumer information and privacy technology, and I look forward to the contributions she will make to the FTC’s efforts to protect consumers,” said Chairwoman Edith Ramirez, adding, “Andrea is a rising academic star whose insights on the intersection of technology innovation and data privacy and security law will be enormously valuable to the FTC’s efforts to protect consumer privacy while promoting innovation. [Full Story]

Privacy Enhancing Technologies (PETs)

WW – Will the Internet Become Private as a Standard?

The Internet Engineering Task Force (IETF) has asked the architects of Tor, a privacy-protecting web-browsing tool, to discuss the idea of using their product to make private web browsing the Internet standard, Salon reports. “Collaborating with Tor would add an additional layer of security and privacy … that goes beyond encrypting your communications,” the report states. Andrew Lewman, executive director of Tor, says the idea is “worth exploring to see what is involved. It adds legitimacy; it adds validation of all the research we’ve done”; however, he adds, “The risks and concerns are that it would tie down developers in rehashing everything we’ve done, explaining why we made decisions we made. It also opens it up to being weakened.” Meanwhile, new app Aether is an encrypted network that lets people share content anonymously. [Full Story]

WW – Software Aims to Protect Social Media Content

Managing social media privacy settings might become easier due to software that can suggest privacy settings for content you share with different groups. The software uses data-mining techniques to analyze the structure of users’ social network and then predicts what kind of privacy they would choose, the report states. It was developed by researchers at Penn State and the Missouri University of Science and Technology, and its developers say the software is 77%- accurate in guessing what kind of privacy people would assign each piece of content. [MediaPost]

EU – EuroPriSe Seal To Change Hands January 1

The German data protection authority that operates the EuroPriSe privacy certification seal, the Independent Centre for Privacy Protection Schleswig-Holstein (ULD), announced this month that it is transferring operations to a new entity to be known as EuroPriSe GmbH as of January 1. This, said Thilo Weichert, head of ULD, will allow the program to grow in a way that was not possible as part of a regulatory body like ULD. Jurgen van Staden of 2B Advice explains the new organization will allow for extending certifications to a much larger group of methods, concepts, people, training sessions and websites “in accordance with the tried and tested certification structure EuroPriSe experts and customers have come to know.” [Privacy Advisor]

WW – LG Investigating Reports of Smart TV Data Snooping

LG is looking into reports that some of its Smart TVs are gathering information about customer viewing habits and sending the data back to the manufacturer. The activity reportedly occurs even when customers have turned on certain privacy settings. A recent blog (link in BBC story) said that the TVs gather data about which channels customers watch and what devices are connected to the television. The blogger found that an option allowing collection of viewing data was on by default, but even after he switched it off, the information was still being sent, although a flag in the data indicated that he had changed that preference. A second blogger says that LG Smart TVs share not only that information but also the names of files shared on home and office networks. Asked for comment, LG responded, “Customer privacy is a top priority at LG Electronics and, as such, we take the issue very seriously. We are looking into reports that certain viewing information on LG Smart TVs was shared without consent.” [CNET UK] [BBC] [Ars Technica] [Ars Technica] [Opinion: TV’s Rollout Shows Lack of PbD, Transparency]

WW – LG Plans To Update Firmware Following Smart TV Allegations

Following a UK blogger’s allegations that smart TVs are collecting user data on such details as what channels are watched and the names of media files streamed over networks, LG has responded saying that the information collected was “not personal but viewing information.” The company said it has verified that even when the Smart TV platform is turned off by the user, information apparently continues to be transmitted, though the data is not retained by the server. “A firmware update is being prepared for immediate rollout that will correct this problem on all affected LG Smart TVs so when this feature is disabled, no data will be transmitted,” the company said. [CNET]

WW – Open-Sourced Router Privacy Project Unveiled

Embedded systems design company Redfish Group has launched an open-sourced router project to help protect online privacy. Called ORP1, the project aims to protect the privacy of users across all their devices located within their homes. ORP1 is set to feature a user-friendly interface with an OPSec virtual privacy network and Tor server, the report states. Redfish Managing Director Justin Clacherty said, “I’ve really wanted to get an open networking platform out there for a while now, and we just felt that a router was the way to go, especially with all the NSA revelations and people’s worrying about the different U.S. tech companies providing equipment to us, which may have backdoors.” [ZDNet]

US – Washington’s Complex Approach to Data Brokers

Politico reports on two current government investigations into data brokers and what those could mean for the federal government’s approach to the industry. The FTC and the Senate Commerce, Science and Transportation Committee are each conducting separate investigations. It is not yet known when results will be arrive, the report states. FTC Commissioner Julie Brill has been promoting her Reclaim-Your-Name concept , a one-stop shop for consumers to access their online profiles compiled by data brokers, but the marketing industry is pushing back. Direct Marketing Association Vice President for Government Affairs Rachel Thomas said, “We don’t believe a one-stop, one-size-fits-all web portal with every data broker in the world is going to be something that actually increases consumer understanding in the way that is necessary.” [Politico]

WW – How To Do PbD in Predictive Analytics

IBM Fellow and Entity Analytics Group Chief Scientist Jeff Jonas discusses his involvement with Privacy by Design and how he integrated it into new predictive analytics software. Jonas has created technology that allows businesses to collect and analyze data from multiple sources in real time to help make “smart” decisions. He said, “One of my goals in the use of Privacy by Design in the G2 project was what kind of privacy features can I bake in that cost no more? In other words, they’re by default. They’re built in. In fact, a few of them, you can’t even turn them off. That way, someone’s not left there with a decision, ‘Yeah, we trust ourselves. I don’t have to pay extra for a privacy feature. I’d rather just buy more disk space.’” [Data Informed]


US – Technology Council Report Says Govt Needs to Improve Cybersecurity

A report from a presidential technology council says that the US government is not setting a good example in cybersecurity. According to the report from The President’s Council of Advisors on Science and Technology, “the Federal Government rarely follows accepted best practices.” The report’s “Overarching Finding” reads: “Cybersecurity will not be achieved by a collection of static precautions … [but instead] requires a set of processes that continuously couple information about an evolving threat to defensive reactions and responses.” Among the report’s recommendations is that Internet service providers (ISPs) increase their real-time threat response. [Ars Technica] [SC Magazine] [Report]

US – Will A Not-So-Friendly R2-D2 Be Your Next Security Guard?

“The night watchman of the future is five feet tall, weighs 300 pounds and looks a lot like R2-D2—without the whimsy.” A California company’s mobile robot. Knightscope’s K5 Autonomous Data Machine, was unveiled, developed “as a safety and security tool for corporations, as well as for schools and neighborhoods,” the report states. Some see such a move as “an entry point to a post-Orwellian, post-privacy world,” the report states, quoting the Electronic Privacy and Information Center Marc Rotenberg as saying, “This is like R2-D2’s evil twin.” [The New York Times]

UK – Air Passengers Allowed to Refuse Scanners as More Are Installed

Security scanners are currently in use at 10 of the UK’s busiest airports and are being deployed at 11 more, according to Transport Secretary Patrick McLoughlin. At the same time, passengers are now being offered alternate options after refusing to go through the scanners, while previously they were simply not allowed to fly. “From today, passengers who opt out of being screened by a security scanner will be allowed a private search alternative. This is a method of screening which we consider is of an equivalent security value to a security scan,” McLoughlin said. [Computerworld UK]

WW – Companies Largely Support BYOD, Lack Sufficient Policies for IT

While the majority of IT specialists say their companies support bring-your-own-device (BYOD), a recent survey indicates they don’t use tools or policies to protect corporate data, Bank Systems & Technology reports. The Zix Corporation and Ponemon Institute survey found that 56% of respondents say their companies seek to replace current BYOD solutions. “Companies are swiftly adopting BYOD to enable work productivity and create efficiencies but are hitting significant road bumps in cost, security and employee concerns,” said the Ponemon Institute’s Larry Ponemon. Meanwhile, one security expert cautions against the pitfalls of BYOD policies, including a once-size-fits-all approach. [Full Story]

US – NIST Holds Last Workshop Before Cybersecurity Framework Becomes Final

The National Institute of Standards and Technology held its fifth workshop on President Barack Obama’s executive order for a cybersecurity framework, the last before the framework is due to be finalized in February. The workshop was intended to solicit feedback from stakeholders. While many expressed enthusiasm about the swiftness with which the framework has moved from concept to model, there are still questions on how to apply the framework and what adoption will look like. “From my perspective, the framework should be used as a guidance,” said AT&T’s vice president of global public policy. [Computerworld]

US – US Defense Contractors Now Required to Implement Security Standards

The US Department of Defense (DOD) will now require contractors to implement “established information security standards” on all classified and unclassified networks. Companies contracted to make weapons for DOD will be required to report all network security breaches “that result in the loss of unclassified controlled technical information.” The requirements will be built into contracts. [The Hill] [Yahoo! ] NextGov] [Defense Federal Acquisition Regulation Supplement: Safeguarding Unclassified Controlled Technical Information]


US – FAA Unveils Privacy Rules for Test Sites

The Federal Aviation Administration (FAA) has issued privacy requirements for U.S.-based drone testing sites. Earlier this year, the FAA announced there will be six drone testing sites to help integrate the technology into the National Airspace System. Some have questioned whether the agency has the authority to issue privacy requirements. One commenter said, “Existing privacy laws are sufficient to cover the responsible use of (drones). There already exist federal, state and other laws that protect privacy … tort law may also provide avenues of recourse for plaintiffs to protect their privacy rights.” The ACLU’s Chris Calabrese said the government has taken an “important step” by issuing the requirements, but added, “Congress must also weigh in on areas outside the FAA’s authority…” [Courthouse News Service]

US – Amazon Envisions Eventually Delivering Packages in 30 Minutes Via Drones

On 60 Minutes, Amazon CEO Jeff Bezos unveiled plans to use unmanned aerial vehicles (UAVs) to deliver packages to customers. University of Washington Law Prof. Ryan Calo said this is the type of commercial application Congress envisioned when it ordered the Federal Aviation Administration (FAA) to open up airspace to the technology. “By 2015, the FAA has to come up with a set of rules that integrates just the kind of thing that Amazon is talking about,” said Calo, adding that the agency may initially require humans to guide the UAVs remotely. [The Washington Post] [60 Minutes]

US – Data Broker Settles With NJ Attorney General

A firm specializing in the tracking of car buying has settled charges with New Jersey’s attorney general after it was accused of using code to identify websites visited by its customers without their knowledge or consent and selling the harvested data. At least 181,000 consumers were affected. The Tennessee-based data broker in question, Dataium, has been fined $99,000, payable over the next two years, and will be liable to pay a suspended amount of $301,000 if the company fails to comply with the settlement over the next five years. New Jersey Division of Law Director Christopher S. Porrino said, “Dataium allegedly used software code to track the websites visited by consumers without their knowledge or consent. The company also allegedly transferred the personal information of 400,000 consumers to one of the largest data brokers in the world.” Meanwhile, the city of San Diego, CA, has settled with a family after their DNA was swabbed without their consent by police. [Information Week]

WW – Suspicious Internet Route Hijacking Raises Concerns

Earlier this year, researchers began noticing suspicious activity called route hijacking, a type of man-in-the-middle attack on Internet traffic. The technique routes the traffic through countries around the world where it could be inspected and possibly altered before being sent on to its final destination. Internet traffic by its very nature can travel widely and by what would not appear to be the most direct path, but the recent attacks indicate that the traffic is deliberately being routed in certain ways. In some cases, large chunks of traffic from financial institutions, government agencies, and service providers in several countries have been routed through servers in Iceland and Belarus. [Ars Technica] [NBC News]

Telecom / TV

US – Investors Want AT&T, Verizon to Share Gov’t Requests

Investors have asked AT&T and Verizon to reveal what data was shared with U.S. and foreign governments and what measures were taken to protect users’ privacy. New York State Comptroller Thomas DiNapoli said, “Transparency allows investors to make informed decisions about corporate behavior … Publishing regular reports on requests for information from governments would be an appropriate response to shareholder and customer concerns about trust and privacy in the digital world.” A spokesman for AT&T said, “As standard practice we look carefully at all shareholder proposals, but at this point in the process we do not expect to comment on them.” Meanwhile, newly released FISA court documents reveal that the NSA shared bulk e-mail and phone records data with other government agencies, a violation of court-ordered procedures, The Guardian reports. [Bloomberg]

US Government Programs

US – U.S. Accountability Office Calls for Baseline Privacy Legislation

The Government Accountability Office (GAO) has released a report calling for a comprehensive federal law governing the collection, use and sale of personal data by businesses. The report was called for by Sen. Jay Rockefeller (D-WV) earlier this year. The GAO analyzed current law, regulation and enforcement actions and convened with representatives from government, advocacy groups, trade associations and data broker organizations, concluding, “Congress should consider strengthening the current consumer privacy framework to reflect the changes in technology and the marketplace, particularly in relation to consumer data use for marketing purposes.” The Direct Marketing Association (DMA) said, “While we do not share the GAO’s opinion … DMA was pleased to see that the report recognized the important economic benefits that derive from the responsible use of consumer data…” [AdWeek]

US – Six Practical Tips Gleaned from the DHS Annual Privacy Report

Privacy sector folks might think they don’t have much to learn from the Department of Homeland Security Privacy Office’s 2013 Annual Report to Congress, but you may find that the report contains plenty of relevant and useful information to help you manage your organization’s privacy program. Dennis Holmes tackles the task of analyzing the 86-page report and bubbling up the six practical tips most likely to give your program a boost. [Privacy Perspectives]

US Legislation

US – Pennsylvania Senate Committee Amends Proposal for DNA Database

The Pennsylvania Senate in June passed a proposal allowing police to collect and retain DNA from anyone arrested for a felony or misdemeanor, expanding the current law which allows for DNA collection from those convicted of a “serious felony.”. However, the House Judiciary Committee amended the bill before approving it to address concerns that the bill was too broad. One amendment would stop police from entering DNA data into any state or national database until a suspect is “held for court at a preliminary hearing or waives his right to the hearing,” the report states. Another makes it easier for those determined innocent to have their DNA records expunged. One ACLU representative says the amendments don’t go far enough. [The Sentinel]

US – NJ Social Media Privacy Law In Effect, NYC Debating Its Own

On the heels of New Jersey’s Social Media Privacy Law going into effect, the Staten Island City Council is looking at a bill that would provide similar protections for employees and potential employees. Councilwoman Debi Rose (D-North Shore) one of the bill’s sponsors, said it “would eliminate the ability of an employer to demand or retaliate against failure to divulge a job applicant’s or employee’s private social media account information,” adding, “Privacy rights in this technological age must be protected. Information that is
not available to the rest of the public cannot be demanded by an employer and should not hinder an individual’s prospective or current employment.” [SI Live]

US – Disparate State Laws = Breach Response Confusion, Unprotected Subjects

While companies work to navigate disparate state breach laws, plaintiffs’ lawyers are on the hunt for the next “mega lawsuit, and data privacy looks very promising with its litigation trifecta: major consumer exposure, complex and increasingly antiquated state and federal data privacy laws, and ever larger and more frequent data breaches.” Standardizing and modernizing data breach laws is the first step to protecting consumers and organizations, according to the report, noting that “as companies constantly work to keep one step ahead of the bad guys, the goal should be to achieve real data security with legal clarity, rather than another big payday for the plaintiffs’ bar.” [Mondaq]

US – VT Supreme Court Rules No Privacy on Workplace Computer

In a case that involved Rutland Police Department employees viewing and sending pornography on work computers while on duty, the Vermont Supreme Court ruled that the employees had no right to privacy. Additionally, because the computers were city property and the employees were on duty, there was no basis to redact personally identifying information from the records. The report from HR.BLR.comincludes major takeaways from the decision, including that “personal information about public employees may be disclosed if the broad public interest served by the disclosure outweighs individual employees’ expectations of privacy.”

US – FTC v. Wyndham: Round One

Last week, FTC v. Wyndham, a privacy case that commands the close attention of thousands of privacy professionals worldwide, challenging a decade of escalating Federal Trade Commission activity in the field of data security, went to oral arguments on the defendant’s motions to dismiss. Wyndham Worldwide Corporation was charged in June 2012 for “unfair and deceptive acts and practices” arising from alleged data breaches in its franchisees’ computer systems. In this exclusive for The Privacy Advisor, IAPP Westin Fellow Kelsey Finch examines this case, where the company is disputing whether “its failure to safeguard personal information caused substantial consumer injury,” and perhaps more importantly, whether the FTC even has the authority to regulate data security. [Full Story]

US – How To Handle California’s New DNT Law

Last month, California passed a new amendment to the California Online Privacy Protection Act (CalOPPA) that requires companies that collect personal information from Californians to address how they respond to Do-Not-Track (DNT) signals from browsers in their online privacy policies. According to Stephanie Sharron and Emily Tabatabai, the legislation “may raise as many questions as it answers,” because, due to the lack of consensus from the W3C, “companies are required to disclose how they respond to a browser’s DNT signals, when there is no consensus on what the DNT signal means in the first place.” So what are companies to do? Discover practical options in this Privacy Tracker blog post. [Full Story]

Workplace Privacy

US – Study Finds Hiring Discrimination Based on Social Media

A Carnegie Mellon study that found many businesses use social media to look up job applicants and suggests they use such data to discriminate. The study revealed that between 10% and one-third of U.S. firms searched social media to check on job applicants early in the hiring process. One of the study’s authors, Alessandro Acquisti, said, “By and large, employers avoid asking questions about these traits (such as religion or sexuality) in interviews,” adding, “But now technology makes it easier to find that information.” Meanwhile, The Atlantic’s featured article for December reports on the now common combination of Big Data analytics and human resources—also known as “people analytics”—and the way it’s transforming how employers hire, fire and promote employees. [The Wall Street Journal]

EU – Prosecutors Investigating IKEA Execs for Data-Spying

Prosecutors in France are investigating three senior IKEA executives amid allegations they authorized illegal spying on employees and customers. Chief Executive Stefan Vanoverbeke and two others were possibly involved in a “conspiracy to collect a range of personal information including criminal records, automobile registrations and property records,” the report states. According to prosecutors, the executives collected such data in order to watch employees and also reveal “unflattering details” about customers bringing lawsuits. IKEA France has been ordered to post a bond of 500,000 euros. [The New York Times]

US – Officers May Be Tracked Via GPS-Equipped Cars

Boston, MA, police officers are worried that their superiors will be tracking their every move now that Boston police cruisers are likely to be equipped with GPS tracking devices. Administrators say the devices will allow dispatchers to view where officers are located rather than waiting for a radio response, accelerating response times to crimes. The plan awaits the approval of the City Council. “Nobody likes it. Who wants to be followed all over the place?” one officer said. Officers would be alerted if someone from the public requested GPS records. Meanwhile, developers of license-plate tracking technologies are developing rich databases, the contents of which are sometimes for sale. [The Boston Globe]


01-15 November 2013


CA – Canadian Minister: Province to Address Gap

Saskatchewan Justice Minister Gord Wyant has said the government must address a “gap” in privacy protection for private-sector employees. “We, like Ontario and the eastern provinces, have relied on the federal legislation with respect to privacy matters in the private sector,” Wyant said. Referencing calls for change by Saskatchewan Information and Privacy Commissioner Gary Dickson, Wyant added “there’s a little bit of a gap when it comes to that area.” To address the issues, he said, “We’ve consolidated all the labour legislation into one piece, and we think that there’s a possibility of perhaps bringing some regulations forward under the employment act to cover off that issue.” [The Regina Leader-Post]


WW – Brick-and-Mortars Catch Up on Customer Tracking

Brick-and-mortar retailers are using face scanners in an effort to improve such things as staffing, layout and marketing. Many businesses, aware of consumers’ reticence to be tracked, promise to only use the data in aggregate unless consumers give their consent. Shoppers are also increasingly asked to sign up for loyalty card programs that would allow the retailer to track them in exchange for discounts. “They are just trying to get real smart with data in the way the e-commerce guys are smart with data,” said the head of one tracking-device manufacturer. But the chief executive of a customer science company said, “Too much is happening without consumer consent.” [Reuters] See also: [Pandora Looks Past the Tracking Cookie by Mining User Data]

WW – Survey: Shoppers Unsure About Tracking-for-Coupons Model

While consumers are becoming more aware that they may be tracked as they walk around brick-and-mortar stores, “plenty still feel uncomfortable about it.” That’s according to a survey that found that nearly half of respondents said they would find it invasive if a store sent them a text-messaged coupon as they walked past that store. But only 35% said they found it invasive for a website to know their geographic location, suggesting “people are less comfortable being tracked on their mobile devices in a store than as they surf around the web,” the report states. [PC World]

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]

Electronic Records

US – Are There “Limitless” Privacy Risks to New Health Exchanges?

A government report on the Affordable Care Act health insurance exchanges details the “high risks” and potential “limitless” privacy concerns with the site. One key official in the Obama administration testified earlier this month that he was not copied on the memo detailing the risks. Centers for Medicare and Medicaid Services Deputy Director and Deputy Chief Information Officer Henry Chao, who “is in charge of … the operations of the agency’s information systems security program,” said, “It is disturbing” that he was not copied on the memo, adding, “This is … a fairly nonstandard way to document a decision.” [Forbes]

US – EHRs Make Audit Trails Much Easier To Follow

Electronic health records have made catching unauthorized viewers much easier. And that has illustrated the frequency with which unauthorized access occurs, such as last month’s notification by Minnesota’s Allina Health System that 3,800 patients’ personal health data had been breached by a medical assistant who had been improperly accessing the information for three years. The Department of Health and Human Services reports that since 2009, 27 million individuals have had their personal health data compromised. [Healthcare IT News]


WW – Microsoft Does Not Encrypt Server-to-Server Traffic

A Microsoft executive told members of the European Parliament that the company does not encrypt server-to-server data traffic. Dorothee Belz, Microsoft EMEA VP for Legal and Corporate Affairs said that the company is “currently reviewing [its] security system.” Belz appeared before a European Parliamentary committee with representatives from Google and Facebook. Earlier, she had stated that Microsoft did not allow “direct access” to its servers. The revelation about the unencrypted traffic between Microsoft servers follows close on the heels of leaked documents that indicate the NSA and GCHQ tapped into such connections between Google data centers to access data. [Ars Technica] [The Register]

US – Exclusive Interview with Lavabit Founder on the Day the FBI Came Calling

Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance. The Privacy Advisor describes his legal ordeal and his new business venture, one he hopes protects data in a way his last service, in the end, did not. [Privacy Advisor]

US – US Justice Dept. Files Brief in Lavabit Appeal

The US Justice Department has filed an appellate brief in the Lavabit case. The government maintains that Lavabit founder Ladar Levison’s promise of security to his customers does not exempt him or his company from having to comply with court orders. According to the brief, DOJ wanted the metadata from a single Lavabit account. (Although the investigation’s target is not specified, it is widely believed to be Edward Snowden.) The DOJ dismissed Levison’s concerns that it would use the SSL key it sought to peruse accounts of other Lavabit users. [WIRED] [ComputerWorld]

EU Developments

EU – Reding Says Data Protection Outside of TTIP’s Scope, Calls for an EU NSA

Officials in Brussels say Germany’s plan to push for tough data protection controls for the Transatlantic Trade and Investment Partnership is a “big surprise.” [Reuters] Despite a push from Germany to include data protection rules within the Transatlantic Trade and Investment Partnership in the wake of U.S. spying revelations, European Commission Vice President Viviane Reding says data protection is outside of the EU-U.S. pact’s scope. “The commission’s view and the position taken by all leaders at the recent European Council is clear: Let’s not mix up the phone tapping issue with the ongoing trade talks,” Reding said. Reding has also called for the EU to create its own intelligence agency by 2020 in order to “level the playing field” with the U.S. Meanwhile, U.S. Attorney General Eric Holder says the U.S. is taking note of Europe’s concerns. [Financial Times]

EU – Court Rules Google Must Remove Images from Search Results

A French court has ruled Google must remove compromising photos of a Formula One car racing chief from its Internet search results. The ruling follows Max Mosley’s lawsuit aiming to force Google to filter images that were originally published in a British newspaper. Mosley claimed French law forbids taking and distributing images of someone in a private space without permission, while Google argued freedom of speech. Google says it will appeal the decision. “At this point in time, the pendulum is swinging toward individuals’ privacy and away from freedom of speech,” said one privacy analyst. [The Economic Times

UK – ICO: Cookie Replacements Must Follow Rules

The UK Information Commissioner’s Office (ICO) has acknowledged that it’s aware of initiatives to forego cookies for new tracking technologies and says these new technologies will need to abide by the same rules as cookies. Encouraging a Privacy by Design approach, an ICO spokesperson said companies must be upfront with customers and offer “users a clear choice as to the options available to them.” Meanwhile, Mozilla’s plans to automatically block certain cookies in its browser are on hold after it announced plans to work with the Cookie Clearinghouse initiative at Stanford University on a “more nuanced approach.” The organization now says it’s unsure whether it will adopt the feature. []

EU – Garante Provides General Rules Following Outsourcing’s Growth

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, is providing its general rules to protect the privacy of Italian citizens. “At the end of a complex investigation, the Garante stressed the rules to be applied to both companies and government agencies, whose customer care or call centers are located outside the EU.” [Full Story]

EU – Garante, DIS Enter Cooperative Protocol

The Garante, Italy’s data protection authority, and DIS, the country’s intelligence department, have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet.” “At the same time this is a proof of evidence that a different model of cooperation on the ground of the intelligence services is possible. Citizens have to believe that another world is possible and their rights might be protected together with their security and safety.” [Privacy Advisor]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

UK – Message-Sender Successfully Appeals 300,000 GBP Fine

Christopher Niebel has successfully appealed a 300,000 GBP fine for sending spam text messages after challenging “whether the Information Commissioner’s Office (ICO) was right to issue him with a fine for his part in what the ICO considered was a serious breach of UK privacy laws.” Niebel and fellow Tetrus Telecoms co-owner Gary McNeish were fined a combined 440,000 GBP by the ICO last year “for breaching the UK’s Privacy and Electronic Communications Regulations (PECR) for engaging in unsolicited direct marketing activities.” However, an Information Rights Tribunal upheld Niebel’s appeal, ruling “insufficient damage or distress had been caused to recipients to merit the penalty being imposed,” the report states. []

Facts & Stats

WW – Breaches More Widespread Than Reported

A new security survey has found that 57% of malware analysts said they have worked on enterprise-related data breaches that were not disclosed. The ThreatTrack Security survey interviewed 200 security professionals. For larger businesses, with more than 500 employees, the number jumps to 66%. The reason behind not disclosing breaches may stem from attempts to save brand reputation or avoid difficult questions from customers and investors. [ZDNet]


EU – Facebook Discloses Gov’t Data Requests

A recent hearing organized by the European Parliament’s civil liberties committee featured Richard Allan, director for public policy for Facebook in Europe, who discussed the number of demands for data by EU governments. Allan said Facebook received 8,500 requests from the EU on 10,000 user accounts during the first six months of 2013. By comparison, U.S. officials made 12,000 requests for data on as many as 21,000 user accounts. Meanwhile, CIO reports on the nuances of Facebook’s updated data use policy and statement of rights and responsibilities. And a new poll indicates four out of five people have changed the privacy settings on their social media accounts, most within the last six months. [New York Times Bits]

WW – Google Transparency Report

According to Google’s most recent transparency report, the US government made nearly 11,000 requests for user information from the company in the first six months of 2013. The Indian government made 2,700 requests of Google in that same period. The company makes note of the fact that the numbers represent only those requests that they are permitted by the US government to disclose. [CNET]

US – Apple’s Transparency Report Includes “Warrant Canary”

Apple has filed its first transparency report, enumerating government requests for data from devices, iTunes, and other content services. Along with the report, Apple has filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking approval to release more detailed information. Apple received the vast majority of its data requests from the US government, but also received requests from the governments of the UK, Germany, Australia, Spain, Singapore, and France. Apple’s report also includes these sentences: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” The statement is called a “warrant canary” because its absence from future reports would indicate that the company had received such an order. [CSMonitor] [ComputerWorld]

WW – Apple: “Our Business Does Not Depend On Collecting Personal Data”

Apple published a formal report on federal government data requests. In it, Apple says its business “does not depend on collecting personal data … We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches or Siri requests in any identifiable form.” It adds that the U.S. government doesn’t allow it to disclose the number of national security orders “or whether content, such as e-mails, was disclosed” and that it opposes such a gag order. Earlier this week, the company lobbied for restrictions on government surveillance. [All Things Digital]

US – Is California Transparency Law Still Effective 10 Years Later?

The American Civil Liberties Union of Northern California (ACLU) has published a policy paper looking at the state’s Shine the Light law of 2003. The paper looks at whether the law, now 10 years old, is still effective in providing transparency about how businesses handle personal data. “From revelations of widespread NSA spying to high-profile data breaches, the need to know what is happening to our personal information is more important than ever,” the ACLU said. [ACLU] [Losing the Spotlight: A Study of California’s Shine the Light Law]


WW – Microbe Research Raises Privacy Concerns

NPR reports on the American Gut Project , a “citizen science,” crowd sourced, microbiome initiative designed to help scientists learn more about the friendly and dangerous microbes living in and around the human body. Organizers of the project need reams of personal information—including swabbed samples and detailed logs of a subject’s daily diet—to help illuminate the research, but some bioethicists are expressing privacy concerns. One expert said, “If you have privacy concerns at all, you shouldn’t do it.” Though the information is confidential, there’s no guarantee that it will be protected and it’s possible that a volunteer’s DNA samples might inadvertently become public, the bioethicist noted. [Source]

Health / Medical

US – Hospitals Prepare to Digitize Records for Sharing

In Texas, a new program will digitize the medical records of every hospital in the San Antonio region. The data—about 600,000 records in total—will eventually be shared in real time with hospitals, doctors and patients themselves. Patients are permitted to opt out if they wish. Meanwhile, VMware has announced a new service aimed at helping with HIPAA security requirements by providing Business Associate Agreements. “The healthcare IT industry needs trusted, reliable and stable business associates that will help address the appropriate administrative, physical and technical safeguard requirements under HIPAA security rules,” said the chief information officer at Hackensack University Medical Center. [Texas Public Radio]

US – Breach Settlement First to Award Plaintiffs Who Aren’t ID Theft Victims

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. A report from Becker’s Hospital Review notes that it is the first breach case to extend payments to plaintiffs who were not victims of identity theft. “Settlements for data breach class actions have traditionally not extended payments to class members who have not experienced any fraud or identity theft. Here, though, that is exactly what the sides agreed to, whereby payments will be made to all class members who purchased insurance, even absent any fraud or identity theft,” states Reed Smith’s Global Regulatory Enforcement Law Blog.

Horror Stories

US – One Million Affected in Software Company Site’s Hack

Internet security firm Hold Security says it has discovered that a limousine software company has been hacked, resulting in credit card numbers and other details on close to one million customers being exposed. Jonathan Mayer, a cybersecurity fellow at Stanford University, said Corporatecaronline’s website was running outdated software that made it vulnerable, but “you don’t have to be a big target to be at risk online anymore. This is the new normal, and it underscores the need for improving the regulatory framework.” [Detroit Free Press]

EU – Loyaltybuild Data Breach Affects More Than One Million People

More than 1.5 million Europeans have had personal information compromised by a security breach at Loyaltybuild, a company that manages customer loyalty programs across Europe. International security firm Garda has launched an investigation into the incident, which saw nearly 400,000 individuals’ credit card details exposed. Irish Data Protection Commissioner Billy Hawkes said the financial data was not encrypted. Another 150,000 individuals’ details have been “potentially compromised,” and the breach looks to be the result of an external criminal act, Hawkes said. Meanwhile, in the U.S., hundreds have been affected by a data breach dating back to 2001 in Indiana. [Irish Times] [The Register] [Irish Examiner]

Internet / WWW

WW – At Hearing, Google Says NSA Could Cause “Splinternet”

During a Senate Judiciary Subcommittee hearing on the Surveillance Transparency Act of 2013, Google Director of Law Enforcement and Information Security Matters Richard Salgado expressed concerns that the Snowden disclosures, along with gag orders placed on the company by the U.S. Department of Justice, are hurting U.S. businesses around the world economically and may cause a fractured Internet. Global reaction to the NSA disclosures “could have severe unintended consequences such as a reduction in data security, increased cost, decreased competitiveness and harms to consumers,” he said. [The Privacy Advisor].

EU – Germany and Brazil Present Internet Privacy Resolution to UN

Following reports that U.S. intelligence eavesdropped on foreign leaders—including German Chancellor Angela Merkel and Brazilian President Dilma Rousseff—both nations formally presented a resolution to the United Nations urging countries to extend internationally guaranteed rights to privacy online. Such resolutions to the General Assembly are not legally binding. The U.S. was not specifically named in the resolution. [The Associated Press]

US – NIST Looking for Advisors for Privacy Panel

The National Institute of Standards and Technology (NIST) has announced it is looking for new members to its Information Security and Privacy Advisory Board (ISPAB). The board’s objective is to identify emerging issues affecting information security and privacy and advise NIST’s leadership, the secretary of commerce and the Office of Management and Budget on such trends. A NIST notice states , “Nominees should have specific experience related to information security or privacy issues, particularly as they pertain to federal information technology.” Microsoft Chief Privacy Officer Brendon Lynch wrote about why privacy professionals are needed in the NIST framework process. [Government Security News]

US – NIST Will Review Standard Development Process

The National Institute of Standards and Technology (NIST) plans to review its standards development process. The organization hopes to restore the credibility that took a hit several months ago when news stories broke that the NSA may have included a backdoor in a NIST-approved encryption algorithm. NIST will open its process for public review as well as review by an as-yet unnamed third-party organization. In a November 1 statement, NIST wrote, “Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.” [Ars Technica]


NZ – Parliament Considers Privacy Principles

The New Zealand Parliament is considering adopting a set of privacy principles that would help protect both MPs and journalists. Privacy Commissioner Marie Shroff, who recently reflected on the evolution of privacy in the past decade, told Parliament’s Privileges Committee “it might be useful for the Privacy Act principles to be used as some sort of a guide within the Parliamentary precinct when difficulties occur over the use of information.” With the Privacy Act and the Official Information Act already established, she suggested there is no need to “reinvent the wheel.” [Radio New Zealand]

NZ – Bill Could Put Cyber Bullies Behind Bars

A new bill being introduced in the New Zealand Parliament could see cyber bullies facing up to three years in prison. The Harmful Digital Communications Bill is backed by Justice Minister Judith Collins and would create a criminal offence for “sending messages or posting material online with intent to cause harm—including threatening and offensive messages, harassment, damaging rumours and invasive photographs,” punishable by up to three months in prison or a $2,000 fine, the report states. The bill would also establish an agency responsible for handling complaints. [The Sydney Morning Herald]

ID – Indonesia May Consolidate Privacy Law

“Indonesian data privacy protection is spread over several pieces of legislation such as the Human Rights Law, ITE Law, Code of Criminal Procedure and others,” but the government is discussing consolidating it into a single law, Lexology reports.

IN – Analysis of India’s Privacy Bill

Neeral Dubey of PSA Legal Counsellors examines The Privacy Protection Bill, 2013 for Mondaq, including the domain and protection of personal data and the punishment for offenses. “Though it has expanded the scope of sensitive personal data, it has not covered all the aspects, like, passwords or other personal details within its ambit,” Dubey writes, concluding, “Though this Bill seems to be a step in the right direction, what it can fetch is a question that remains to be answered. But that can be fathomed only once this sees the light of the day.”

Online Privacy

EU –Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland

Swiss telecommunications company Swisscom plans to establish a “Swiss cloud” that will be hosted entirely within that country. The goal is to prevent the NSA and GCHQ from snooping on communications. (Swisscom is majority-owned by the country’s government.) Switzerland already has stringent data privacy laws in place, which is why companies that provide secure communications services use data centers there. Prosecutors must obtain court orders before conducting surveillance. [The Register] [] [Ars Technica] [Reuters]

US – MIT Launches Big Data Privacy Working Group

The Massachusetts Institute of Technology (MIT) Big Data Initiative, under its Computer Science and Artificial Intelligence Lab (CSAIL), has announced it is launching a new Big Data and Privacy Working Group to bring together industry, government and academia to address and find solutions for problems arising out of the intersection of Big Data innovation and privacy. CSAIL Principle Research Scientist Daniel Weitzner said, “The goal of the group is to encourage long-term thinking on the role of technology in protecting and managing privacy, in particular when large and diverse data sets are collected and combined,” and added, “We have a wide variety of technical approaches to privacy protection but don’t have a good handle on how they might actually work at scale or whether we need to develop new technical tools.” [MIT News]

US – Schools Share $38 Million Big Data Grant

The University of Washington, New York University and the University of California-Berkeley are sharing a $38 million grant to spread Big Data analysis skills to various professional fields. “Our goal is to figure out how to rapidly evolve universities to support and utilize data-intensive discovery,” said Ed Lazowska, eScience Institute founder and computer science professor at the University of Washington. “We have been doing this on a small scale, but now we’ll be able to work the problem at a large scale and as a collaboration among three teams that include some of the strongest faculty at some of the nation’s strongest universities.” [The Seattle Times]

US – Plaintiffs: VPPA Case Should Proceed, Even With Lack of Financial Harm

Hulu users involved in a potential class-action lawsuit are urging a federal judge to allow the case to proceed. The Hulu users have asked U.S. District Court Judge Laurel Beeler to reject Hulu’s motion to be awarded summary judgment in the case, saying that the case should proceed even if they do not prove financial harm. The class members claim Hulu violated the Video Privacy Protection Act (VPPA) by allegedly sharing user data with Facebook and comScore, but Hulu claims that consumers were not financially harmed in the case. The consumers argued, “A violation of the VPPA simply does not require a threshold showing of pecuniary damages.” [MediaPost]

US – Colleges Increasingly Checking Applicants’ Social Media Accounts

According to Kaplan research, 31% of admissions officers visited an applicant’s Facebook page or other social media account last year in determining admissions, a 5% jump over last year. The research is indicative of the increasing role students’ digital footprints play in whether or not they gain admission to college in the U.S. “To me, it’s a huge problem,” said Bradley S. Shear, a social media-focused lawyer. “Often, false and misleading content online is taken as fact.” However, we might all agree that one Bowdoin College applicant’s decision to snarkily tweet mean-spirited comments about fellow applicants while on a tour of the school was ill advised. [New York Times]

WW – Facebook Asks Adobe Users to Change Passwords

Facebook is warning users who also use Adobe that if they are using the same e-mail and password combinations on both sites, they should change that. That’s after the recent breach at Adobe in which hackers stole nearly three million encrypted credit card records and users’ login credentials. “We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said a Facebook spokesman. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.” [KrebsonSecurity]

WW – Closed-Circle Feature Added to Google+

Google has added a new feature to Google+ to ensure private conversations remain private. The feature allows businesses to decide if their restricted community will be open to everyone at the company or more limited, the report states. System administrators can decide whether restricted communities will be the default, but communities open to third parties such as business partners and clients can also be created. [Think Digit]

WW – Google to Limit Windows Chrome Extensions to Chrome Web Store

in January 2014, Users of Chrome on Windows will be permitted to install extensions only from The Chrome Web Store. Currently, users are asked if they want to install extensions when they originate outside of the Chrome store, but attackers have found methods to bypass that warning mechanism. [CNET]

WW – Chrome Canary Detects Suspicious Downloads

The Canary build of Google’s Chrome browser has been updated to include functionality that detects malware attempting to download. A warning will appear at the bottom of the browser window when Canary detects an attempted malware download. Chrome Canary build is the name given to the “bleeding edge” channel of the browser, before it reaches the channel. Most features that are added to Canary do eventually appear in Dev, and then on into Beta and Stable versions of the browser. [ComputerWorld] [The Register]

WW – Firefox Beta Moves Toward Click-to-Run Default for Plug-ins

The most recent beta version of Firefox moves closer to making “click-to-run” the default status for all plug-ins. The new feature will not automatically run plug-ins when pages are opened. Instead, users will see a box warning that the plug-ins the page requires may be vulnerable. Content will display only if users explicitly allow each plug-in. The only exception will be the most recent version of Flash. Other browsers have made exceptions for Flash as well. Google bundles Flash in its Chrome browser, making sure to push out updates when available, so that users are always running the most current version. [The Register]

WW – Microsoft Updates Policy Ahead of xBox One Launch

Ahead of the launch of the Xbox One, Microsoft has updated its privacy policy to clarify how data is collected and used within gaming functions. While Xbox One uses facial recognition to log in users, the data doesn’t leave the console and can be deleted at any time. However, users “should not expect any level of privacy” when it comes to live communication features like chat and video during live-hosted game sessions. Microsoft reserves the right to monitor those communications “to the extent permitted by law.” Users are permitted to disable targeted ads and tracking through an opt-out page. [Ars Technica] See also: [Will Kinect 2.0 and COPPA Play Well Together?]

Other Jurisdictions

BR – Brazil Calls for End to “Excessive Electronic Surveillance”

Following the country’s outrage over the U.S. National Security Agency’s (NSA) spying scandal and calls for new legislation, Brazil has put forth a resolution calling for an end to excessive electronic surveillance. Brazilian President Dilma Rousseff, who canceled a trip to Washington, DC, following reports that the NSA had intercepted data from her office, said the U.S. has broken international law. “Friendly governments and societies that seek to build a true strategic partnership, as in our case, cannot allow recurring illegal actions to take place as if they were normal,” Rousseff said. “They are unacceptable.” [BBC News]

KZ – Kazakhstan Privacy Law Coming Into Effect Soon

Kazakhstan’s data privacy law, On Personal Data and Their Protection, goes into effect on November 26, making it the second country in Central Asia to enact a privacy law, reports Hunton & Williams’ Privacy and Information Security Law blog. The new law will work with the existing sectoral regulations and, while no English translation is available, according to the report, analyses suggest it applies to both public and private sectors.

CN – China Amends Consumer Protection Law

The Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests, reports Hunton & Williams’ Privacy and Information Security Law Blog. The amendments will take effect on March 15 and include increased penalties for violations of consumer rights, a new rule on punitive damages and a ban of unauthorized disclosures of consumer personal information, among others.

BR – Brazil to Consider Online Privacy Bill

Brazil will take up an online privacy protections bill that business groups fear will stymie the free flow of data. The bill, to be considered by Brazil’s Chamber of Deputies this week, would create restrictions on how Internet service providers use Brazilians’ personal data and would require companies to build local data centers in order to do business in Brazil. “Global data flows rely on data centers dispersed all over the world,” wrote a group of 47 industry reps from the U.S., Brazil, Europe and Japan to Brazil’s National Congress. “Thus, in-country data storage requirements would detrimentally impact all economic activity that depends on data flows.” A vote could take place Monday. [Politico]

Privacy (US)

US – Judge: Peer-to-Peer Data Isn’t Protected Under Fourth Amendment

A federal judge in Vermont has ruled there can be no expectation of privacy when it comes to data exposed online via a peer-to-peer file-sharing network. The case involved three men charged with a crime who claimed the police illegally gathered data from their computers using a peer-to-peer search tool and then obtained a search warrant based on that data. The defendants asked the judge to suppress the evidence based on a violation of their Fourth Amendment rights, but District Court Judge Christina Reiss denied the motion, stating the defendants made the data public when they posted it over a peer-to-peer network. Other courts have ruled similarly where peer-to-peer networks are involved. [Computerworld]

US – FTC Denies Company’s Consent Method

The FTC has denied AssertID’s application seeking approval of a parental consent method. The FTC said in a letter to the company that its proposal “failed to provide sufficient evidence that its method would meet the requirements” under the Children’s Online Privacy Protection Act. The company hoped to use a method called “social-graph verification,” but the FTC said in a 4-0 vote there hadn’t yet been sufficient research or testing to prove its efficacy. [FTC Press Release]

US – Internet Association Backs Airbnb in NY Privacy Conflict

The Internet Association—a group of web companies including Google, eBay, Facebook and Amazon—have filed papers in New York arguing that an attempt by the state’s attorney general to compel Airbnb to turn over its customers’ data will set a precedent that could harm online business. “The prospect of law enforcement authorities, regulators and other government personnel being able to obtain broad swaths of information about consumers under no articulated suspicion of wrongdoing would unduly discourage participation in these online services,” the filed paper states. [MediaPost]

US – Parents to Sue NY Education Dept.

A group of New York City parents is planning to file suit “to block the state Education Department from sharing their kids’ data—including test scores and discipline records—with private companies.” The suit, which is to be filed in New York Supreme Court, comes in response to “the controversial $100 million inBloom project being built by the company Amplify,” the report states, noting the parents allege the project “violates the state’s Personal Privacy Protection Law, forbidding state agencies from giving personal info to companies without consent, unless state law specifically requires the agencies to do so.” The suit follows concerns about inBloom raised in other states. []

US – Man Says Data Broker Is Liable in Harassment Case

A New York man has asked the U.S. Supreme Court to review whether data brokerage companies can be held strictly liable under federal law. The man claims “a data broker illegally sold information gleaned from DMV records to a stranger who later tracked down and harassed him.” A Second Circuit court ruled in July that data broker Softech International could not be held strictly liable under the Driver’s Privacy Protection Act. [Law360]

Privacy Enhancing Technologies (PETs)

WW – Two Tracking Techs Emerge from Hackathon

Last week, online privacy service Ghostery hosted a hackathon to create new user-friendly technologies to enhance online privacy. One team created a browser plug-in to reveal the companies that are tracking users by placing photos of the companies’ top executives on screen. A second top vote-getter focused on measuring the amount of time trackers add to page loading time. The latter system works in tandem with Ghostery and allows users to opt out of tracking. For the next month, users in the Ghostery community have the option to vote for the best service, which will then present its technology at South by Southwest next year. [AdAge]

US – NIST to Update Smart Grid Guidance

The National Institute of Standards and Technology (NIST) is revising its smart grid guidance to address vulnerabilities and privacy issues that have become more of a concern over the past few years. While the U.S. power grid is years away from being a true smart grid, NIST says in the draft of the guidance, “Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid.” Rebecca Herold, who leads NIST’s Smart Grid Cybersecurity Committee’s privacy subgroup, said the new draft will “allow all players in the smart grid to proactively address privacy issues as they create the wide variety of services and components involved, instead of waiting until after the fact, and after privacy incidents, to try to tack privacy on as an after-thought, which is never nearly as effective—as history has taught us.” [BankInfoSecurity]


WW – SMB Cybersecurity Survey Suggests Many Unaware of Being Attacked

A survey from McAfee and Office Depot of more than 1,000 small and medium-sized businesses (SMBs) found that two thirds were confident of the security of their data and devices. More than three-quarters of the companies said they had not been the victims of cyber attacks. There is a significant discrepancy between those numbers and research, which shows that SMBs are often targeted by cybercriminals. 72% of breaches investigated by Verizon’s forensic analysis unit in the company’s most recent Data Breach Investigations Report were of companies with fewer than 100 employees. It is likely that many SMBs are simply not aware that they have been attacked. [InfoSecurity]

US – Survey Suggests Majority of Breaches in US Undisclosed

According to a survey, more than half of all data breaches experienced by companies in the US remain undisclosed. The study surveyed 200 security professionals who conduct malware analysis; 57% said they had investigated or helped manage fallout from a data breach that was not disclosed by the targeted company. [ZDNet] [CSO Online]


US – CIA Allegedly Engaged in Bulk Collection

A Central Intelligence Agency (CIA) program collects bulk records of international money transfers, including transfers inside and out of the U.S. from companies such as Western Union. Unidentified officials said the program operates under provisions within the USA PATRIOT Act and is overseen by the Foreign Intelligence Surveillance Court—similar to the National Security Agency’s phone records metadata program. One official said, “The CIA protects the nation and upholds the privacy rights of Americans by ensuring that its intelligence-collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws.” Meanwhile, Ars Technica reports on a new social media monitoring service unveiled by LexisNexis to aid local law enforcement in mining social media posts for intelligence. [The New York Times]

UK – GCHQ Spoofed LinkedIn & Slashdot to Access Telecoms’ Internal Networks

According to leaked documents, the UK’s GCHQ spoofed LinkedIn and Slashdot pages to install malware on the computers of certain engineers working for global roaming exchange providers in Europe. Once the malware was on the computers, intelligence agents were able to gain access to internal networks of Belgian telecommunications company Belgacom and its subsidiaries. The method used to infect the computers is known as “Quantum Insert” and was developed by the NSA.[Der Spiegel] [WIRED] [ComputerWorld] [Ars Technica]

WW – As NSA Fallout Continues, Investigations Launched

Dutch and Belgian data protection authorities are leading an investigation “into whether consumers’ personal data on the global Swift money-transfer network can be accessed by the U.S. National Security Agency (NSA) or other intelligence services.” “We will investigate if the security of the networks and databases of Swift containing huge quantities of personal data related to bank transactions, of among others, European citizens, allow for or have allowed for unlawful access,” said Dutch DPA and Article 29 Working Party Chairman Jacob Kohnstamm. In the U.S., advocacy groups including the Electronic Privacy Information Center, Privacy Rights Clearinghouse and Center for Digital Democracy sent a letter to the U.S. Federal Trade Commission calling for an investigation into Internet companies whose networks were accessed by the NSA. “It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the commission could ignore the consequences for consumer privacy,” the letter states. Meanwhile, a GigaOM report suggests the legacy of Edward Snowden’s revelations about NSA surveillance could be “much if not most of the open web will be encrypted by default.” [Bloomberg]

WW – Google Engineers Angry Over NSA and GCHQ Snooping

Google has begun encrypting traffic between its data centers after leaked documents indicated that the NSA and GCHQ had been targeting the fiber-optic networks that transmit data between Google data centers in a data harvesting operation dubbed MUSCULAR. (For the record, the operation also snooped on traffic between Yahoo data centers.) The traffic was not encrypted before because it was considered internal to the company. Google executive chairman Schmidt was vocal about his feelings regarding the situation, calling the operation “outrageous” and “perhaps illegal.” Google engineers have also vociferously expressed their anger about the situation. [Ars Technica] [ZDNet] [The Register]

WW – Tech Companies Want Restrictions on Gov’t Surveillance

Following news that the National Security Agency (NSA) was tapping into Yahoo and Google data centers, a coalition of tech companies is calling on Congress for restrictions on government surveillance. Google, Yahoo, Microsoft, Facebook, Apple and AOL have asked for “substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms.” Meanwhile, a U.S. senator and privacy advocates are raising concerns that a bill introduced last week to amend the Foreign Intelligence Surveillance Act would give the NSA permission to collect massive amounts of not only Americans’ phone records, but e-mails as well. [MediaPost]

US – House Committee Wants Answers from VA About Cybersecurity Practices

The US Department of Veterans Affairs (VA) is coming under scrutiny from a congressional committee after offering inconsistent explanations for several data breaches since 2010. The state-sponsored cyberattacks have compromised personal information of more than 20 million veterans and their family members. In the past three weeks, the House Veterans Affairs Committee has made six formal inquiries to the VA’s Office of Information and Technology regarding the agency’s IT security practices and compliance with federally mandated standards. The agency has a backlog of unanswered inquiries dating back to June 2012. The most recent round of inquiries arose after it became clear that VA networks were compromised multiple times since March 2010, but officials have been unable to determine what data were compromised. [FCW]

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan Tuesday on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

US – Surveillance Constitutionality May Be Tested in Court

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday, the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

Telecom / TV

US – IBM to Acquire Fiberlink Communications

IBM has announced its agreement to acquire mobile management and security company Fiberlink Communications. “In a mobile-first world, clients require a comprehensive mobile management and security offering. Oftentimes they integrate solutions on their own and take on unnecessary risk,” said IBM’s Robert LeBlanc. “To protect and enhance the complete mobile experience, it’s crucial to secure the app, user, content, data and the transaction. The acquisition of Fiberlink will enable us to offer these expanded capabilities to our clients, making it simple and quick to unlock the full potential of mobility.” [IBM]

US Government Programs

US – U.S. Willing to Consider Reforms

Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB) David Medine said the government is open to changes about how it conducts phone and Internet surveillance programs as long as they don’t undermine the programs’ effectiveness. PCLOB is now examining how to balance thwarting terrorist plots with protecting Americans’ privacy. It will present a report to President Barack Obama on suggested reforms to surveillance programs. In an opinion piece for The Atlantic, Conor Friedersdorf says defenders of digital surveillance programs should apply the logic to the analogue world, where “everyone recognizes the absurdity of effectively outlawing privacy.” [Chicago Tribune]

US – Gov’t Considers Removing NSA from Military Command

The Obama administration is considering removing the U.S. National Security Agency (NSA) from military command and appointing a civilian to lead it. Gen. Keith Alexander is retiring in 2014, and a list of his potential replacements is being compiled. Meanwhile, plans for a European Internet—a direct response to the NSA revelations this summer—is being discussed by German company Deutsche Telekom. The company aims to keep German citizens’ data safe from foreign governments. And Privacy International has announced a new project that seeks to promote data protection within humanitarian efforts. [The Guardian]

US – White House May Consider Civilian to Head NSA

When NSA chief General Keith Alexander steps down from his post next year, the White House may nominate a civilian candidate to fill the position. The NSA has drawn its leaders from within the military since the agency’s inception in 1952. Alexander currently also heads the US Cyber Command, so a civilian NSA director would be considered only if the White House decides to split the two positions after Alexander steps down. A civilian nominee would likely have to face Senate confirmation hearings. A qualified civilian candidate may be difficult to find, as the job requires a depth of technical knowledge and “familiarity with intelligence gathering.” Jim Lewis, senior fellow at the Center for Strategic and International Studies, notes that a civilian NSA director may encounter difficulty providing intelligence for military operations. [The Hill]

US – NSA and Cyber Command Leadership Likely to be Separate

It appears likely that the next person to serve as NSA chief will not have authority over US Cyber Command, as does current NSA chief General Keith Alexander. Both military officials and legislators are leaning toward dividing the positions to prevent abuse of power and to help restore public trust in the NSA. Alexander, who was appointed head of the NSA in 2005 and acquired the leadership role at Cyber Command in 2010, plans to step down from those positions next year. He believes the two roles should be connected because agencies could end up squabbling over resources and decisions. [The Hill] [CNET]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” State AGs concurred recently at the IAIPP Privacy Academy. The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – DHS Submits Annual Report on Privacy to Congress

In her first public communication, new U.S. Department of Homeland Security CPO Karen Neuman posted on the DHS blog that she has officially submitted the DHS Privacy Office’s 2013 Annual Report to Congress . “As the Privacy Office enters our tenth year,” she writes, “we will continue to ensure that DHS stays committed to protecting the privacy of all individuals, and providing the greatest level of transparency and accountability possible.” The report, which stretches to 86 pages, opens with a message from Deputy CPO Jonathan Cantor, who acted as CPO for much of the time the report covers, and outlines how the department accomplished goals related to its privacy and disclosure policy, advocacy, compliance, oversight and workforce excellence. [DHS]

US – Inspector General: DHS Lacks Resources to Handle Online Threats

The Department of Homeland Security’s (DHS) inspector general says DHS has struggled to respond to cybersecurity threats because of “lingering technical, funding and staffing woes.” In an October 24 report, the inspector general said DHS lacks the tools and training needed to track hackers who are after U.S. banks and other businesses and needs more resources in order to be able to communicate threats to its cybersecurity workforce in real time. There is a system to distribute event reports and another for distributing response information, but the two are not connected. The IG’s report makes seven recommendations, including acquiring or developing tools and technologies that can link situational awareness products to cyber incidents. While President Barack Obama has nominated someone for the post, DHS currently lacks a leader. [Politico] [NextGov] []

US – Report Finds NSA, GCHQ Mass Surveillance Violated EU Law

A new study reveals that dragnet Internet surveillance by the U.S. National Security Agency (NSA) and the UK’s GCHQ violated European privacy law. The study’s authors, Sergio Carrera of the Centre for European Policy and Francesco Ragazi of Leiden University, have urged the European Parliament to “break the wall of silence,” the report states. Meanwhile, a report in Foreign Policy contends that, in the debate about the NSA’s surveillance programs, “privacy is a red herring.” [ComputerWeekly]

US Legislation

US – Lawmakers Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. The bipartisan legislation, which has won the support of advocacy group Consumer Watchdog, “would prohibit web giants … from collecting personal information, including location data, on children ages 15 and younger” without permission, the report states, describing teenagers as “a group that is leaving extensive digital dossiers” through the use of social media. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill] [The Washington Post]

US – Judge Rules Wyndham Must Exchange Evidence with FTC, Case Proceeds

A judge has ruled that Wyndham Worldwide Corp. must exchange pretrial evidence with the U.S. Federal Trade Commission in its complaint against the company that alleges breaches at Wyndham and its three subsidiaries comprised more than 619,000 credit card accounts, Bloomberg reports. The company wanted the case dismissed, claiming the FTC doesn’t have the authority to regulate data security. A Covington & Burling InsidePrivacy post noted, “Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority. Companies that are subject to the FTC’s jurisdiction will want to follow this closely.” [Full Story]

US – Is Cali’s “Eraser” Bill the Wrong Approach?

Recently passed legislation in California essentially creates an “eraser” option for children and teens. Yet, privacy advocates are asking why only children would have such an option since, often, younger Internet users are more savvy with their privacy in the first place, whereas older users may not be as sophisticated. Center of Democracy and Technology Director of Consumer Protection Justin Brookman said, “It’s directed towards teenagers, which in itself is kind of vague … If you’re going to have privacy rules, you might as well protect everyone.” IAPP Westin fellow Kelsey Finch recently analyzed this bill along with several others in California. [Al Jazeera]

US – FAA Releases Roadmap for UAS Integration

The Federal Aviation Administration has released an official roadmap for the future integration of unmanned aircraft systems (UAS), also known as drones. U.S. Transportation Secretary Anthony Foxx said, “This roadmap is an important step forward that will help stakeholders understand the operational goals and safety issues we need to consider when planning for the future of our airspace.” The five-year plan unveils three phases, including “accommodation” of existing UAS, “integration of future UAS” and “evolution” to create an adaptable framework for the technology. The roadmap also implies, the report states, that unmanned aircraft will be treated like manned aircraft. The FAA has designated six tests sites, which will help “inform the dialogue” with privacy and civil liberties concerns. [WIRED] See also: [Calo: FAA Plan “Sensible”; Not All Agree]

US – Markey Introduces Drone Bill

Sen. Ed Markey (D-MA) has filed a bill that would require the Federal Aviation Administration (FAA) “to insert privacy protections in its examination into the possibility of allowing drones to be flown in commercial airspace.” Markey explained his Drone Aircraft Privacy and Transparency Act would require the FAA to ensure warrants are in place before using drones for surveillance. “Before countless commercial drones begin to fly overhead, we must ground their operation in strong rules to protect privacy and promote transparency,” he said. [The Hill]

US – SCOTUS Lets Facebook Settlement Stand

The U.S. Supreme Court has let stand a $9.5 million settlement after a Facebook user challenged the agreement objecting to the fact that none of the money will go to the users whose privacy rights were violated. The settlement will go to a foundation to promote online privacy and security, after paying out lawyers’ fees, and stems from Facebook’s use of the Beacon advertising program, which it shut down in 2009 after complaints. While the court didn’t issue a published dissent, Chief Justice John Roberts said it may need a different case in order to reach the “fundamental concerns surrounding the use of such remedies in class-action litigation.” [Bloomberg]

US – Privacy Group Can Finally Start Work as Facebook Beacon Suit Ends

After three and a half years of legal wrangling, the U.S. Supreme Court let stand a $9.5 million settlement between Facebook and class-action plaintiffs, bringing an end to the case triggered by the Beacon advertising program. It is the just the beginning, however, for the Digital Trust Foundation. Created by the settlement and led by Berkeley Center for Law and Technology head Chris Hoofnagle, the DTF will now begin developing grant-making guidelines for organizations seeking a portion of the $6 million in funds allocated for the study of online privacy. [Ad Age]

US – Federal and State Regulators on How to Get “Off the Hook

The FTC has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman addressed a room full of privacy pros yesterday at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators. [The Privacy Advisor. Full Story]

US – What Privacy Pros Need to Know About the NIST Cybersecurity Framework

As the U.S. National Institute of Standards and Technology moves into the home stretch of creating the Cybersecurity Framework called for by President Barack Obama back in February, we’re now getting a clearer picture of how privacy will be affected by the resulting document. Considering it may end up being part of regulatory structure, it’s incumbent upon privacy professionals, writes Hogan Lovells Partner Harriet Pearson, CIPP/US, that they understand how the framework ties together cybersecurity and privacy. As the date of the last framework workshop approaches, Pearson hits upon the most important points of the draft Privacy Methodology contained in the Cybersecurity Framework in this exclusive post for Privacy Tracker. [Full Story]

US – California’s Tidal Wave of Legislation: A Roundup

For more than a decade, California has stood at the forefront of the privacy legislation wave. Two 2003 California statutes have stood out and, in fact, revolutionized the field: the California Online Privacy Protection Act (CalOPPA), which was the first state law to require websites to post a privacy policy, and the law commonly known as “SB 1386,” the first security breach notification statute. In this exclusive for The Privacy Advisor examines five new laws as well as legislation that is currently pending in California. [Full Story]

US – U.S. Urges EU to Preserve Safe Harbour

Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra’s reported involvement in the surveillance network.” [Full Story]

Workplace Privacy

US – Employee Monitoring: What’s Allowed and What’s Not?

Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. [Close-Up: Workplace Privacy]

US – Case Over Workplace Audio Recordings Offers Insight

The proliferation of recording devices in our society offers employees the opportunity to easily record conversations in the workplace, which has brought up interesting legal questions in the 37 states where anti-wiretap laws don’t prohibit recording a person without their knowledge. Philip Gordon writes in Littler Mendelson’s Workplace Privacy Counsel about a recent case in which an administrative law judge (ALJ) rejected the National Labor Relations Board’s (NLRB) stance that workers “have a legally protected right to record their coworkers and managers.” In the case, the ALJ found that the company’s ban on workplace audio recording was lawful, and while the decision is not binding on the NLRB, the decision will likely be appealed to the board and offers important guidance for employers. [Full Story]


17-31 October 2013


CA – Comparing Manitoba’s Privacy Law With Alberta’s

Mondaq analyzes the recently passed provincial privacy legislation in Manitoba, the Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and how the legislation compares with Alberta’s Personal Information Privacy Act. Specific areas of comparison include breach notification, private right of action for breaches, security requirements and service transfers outside of Canada. “Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them,” the report states. [Full Story]


WW – Website, Researcher Rate Sites on Practices

A fledgling site is using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “‘I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations. [Forbes]

US – Study: Consumers Enjoy Personalized Experience

A recent study indicates consumers want to be understood by the businesses with which they interact. In the SAS Institute survey, 71% of respondents said they are in fact concerned about recent news on government surveillance, but 60% said they expect businesses to know their preferences and understand their needs, the report states. In a post for The Wall Street Journal, University of Miami Associate Prof. Robert Plant discusses how consumers can make money off of their own data. Meanwhile, IBM’s Jeff Jonas writes that if a company is going to profit from consumer data, it must at least be transparent about it. [eWeek]

Electronic Records

WW – Researchers Push for More Patient Data Sharing

Two papers published in the New England Journal of Medicine back an international push to get drug companies to share patient-level data from clinical trials. Pharmaceutical industry reformers have been calling on drug companies to release patient data in order to ensure the safety and effectiveness of new drugs. Blowback from the release of certain pharmaceuticals, including Vioxx and Avandia, has revealed the dangers of concealed clinical drug trials, the report states. A group of academics advocating for such transparency said, “The question is not whether, but how these data should be broadly shared.” A Europe-based group of researchers said, “A managed-release environment that allows sharing of patient-level data while ensuring patient privacy would create a level playing field for all stakeholders.” [Milwaukee-Wisconsin Journal Sentinel]

US – Health Privacy Startup May Have Privacy Problem

Medical records startup Practice Fusion—which recently received $134 million in venture capital—and its potential privacy problem. The company offers free patient management services. It also has 75 million records of patients’ health conditions and prescriptions. The data is allegedly de-identified and then becomes available for analysts, pharma companies and market research. It launched a doctor review site in April filled with 30,000 doctor profiles and more than 2 million patient reviews. In some cases, neither the doctors nor patients knew the reviews would be available publicly. Meanwhile, Sen. Edward Markey (D-MA) has called on Walgreens to answer the privacy impact of its new “Well experience” pharmacy model. [Forbes]

US – Working the Kinks Out of the US’s Health Insurance Online Marketplace

President Barack Obama is launching a “tech surge” to address glitches in, the web online marketplace designed to help people find health insurance under the Affordable Care Act. Improvements that have been implemented since the site’s launch include increasing server capacity to deal with high levels of traffic and allowing people to preview plans without having to fill out a form. [NextGov] [ArsTechnica] [LA Times]


US – Ruling Threatens Internet Privacy, Brief Says

The Electronic Frontier Foundation (EFF) filed a brief arguing that a court order requiring secure e-mail provider Lavabit to hand over its master encryption key undermines the security and privacy of the Internet. Filed in the U.S. Court of Appeals of the Fourth Circuit, the brief contends the order would have allowed the U.S. government to access the personal information of all of Lavabit’s 400,000 users. “This is like trying to hit a nail with a wrecking ball,” the EFF brief stated. Meanwhile, LinkedIn’s Intro service is raising privacy and security concerns. [IDG News Service]

WW – Anonymous VPN Service Shuts Down, Cites Gov’t Intrusion

CryptoSeal Privacy, a service providing anonymous virtual private networks, has shut down the consumer service portion of its business rather than risk U.S. government intervention. The move follows a similar business decision by former e-mail service provider Lavabit. A legal filing in Lavabit’s case has been seen as troubling for Cryptoseal, the report states. CryptoSeal wrote, “Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner … The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service.” [Ars Technica]

WW — E-mail Encryptors Form Dark Mail Alliance

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.” [Forbes]

WW – Windows 8.1 Comes with Automatic Disk Encryption

Microsoft Windows 8.1 ships with automatic device encryption enabled by default, but the feature’s hardware requirements mean that it works only on newer systems. [ArsTechnica] [ArsTechnica] [CNN]

US – US Government Sites Using Expired SSL Certificates

More than 200 US government websites appear to be using expired SSL certificates, putting site visitors at risk of having personal information stolen through man-in-the-middle attacks. Some of the expired certificates may be due, in part, to the government shutdown. According to a study from the University of California, users are likely to click through messages warning of expired certificates. [IT News] [NextGov] [Study of Browser Security Warning Effectiveness]

EU Developments

EU – LIBE Adopts Compromise Amendments; Sends Draft To Council

The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.” [Privacy Advisor] See also: [Has the LIBE Committee Torpedoed the Safe Harbor?]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

EU – Two Years Later, LIBE to Vote on Reg

The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.” [Full Story]

UK – Gov’t to Consult on Jail Time for Breaches

The UK government is considering introducing the possibility of jail sentences for breaches of the Data Protection Act (DPA), reports. Justice Secretary Chris Grayling has written to Home Affairs Committee Chairman Keith Vaz indicating “the public would be asked whether there should be new custodial penalties for breaches of Section 55,” the report states. While the current penalties are fines of different amounts, depending upon the court where the case is heard, Grayling “has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA,” the report states. [Full Story]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [Full Story]

UK – ICO: We Do Not Discriminate

Computing reports on the insistence of the Information Commissioner’s Office (ICO) that “it does not discriminate between private- and public-sector firms when deciding on data breach fines” and its assertion “nobody has been ‘let off’ fines” since the ICO received the power to levy fines up to 500,000 GBP three years ago. “I think there’s certainly no discrepancy on our part, favouritism or thoughts like that in any way,” said the ICO’s Simon Rice. Meanwhile, the ICO has announced it has prosecuted a pay day loan company and its director for “failing to register that the business was processing personal information.” The ICO is also warning organisations, in light of a Royal Veterinary College breach, to ensure their policies “reflect how the modern workforce are using personal devices for work.” [Full Story]

EU – ECHR Anonymous Posting Decision Sparks Concern

The European Court of Human Rights (ECHR) has ruled an Estonian court was correct when it fined Delfi in a case involving anonymous postings on the news website, Wired reports. Joe McNamee, executive director for European Digital Rights, said, “This baffling logic now appears to render it effectively impossible for an online publication to allow comments without positive identification of the end users … So much for the human right to privacy in the Convention. This will directly undermine individuals’ rights to free speech and indirectly undermine their right to privacy.” Lawyers in the UK, however, suggest if the original case had been held there, “the outcome would have been very different,” the report states. [Full Story]

EU – France Backs Fines for Sharing with U.S. Gov’t

France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso. [The Telegraph]


UK – UK ISPs Ordered to Block More Sites in Bid to Quell Piracy

A UK court has ordered Internet service providers (ISPs) there to block 21 additional websites suspected of encouraging illegal music filesharing. The blocks must be in place by Wednesday, October 30. Earlier orders have called on UK ISPs to block eight other sites, including The Pirate Bay. [BBC]


EU – Parliament To Vote on Suspending SWIFT

On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding. [EU Parliament]

US – Are Banks Regularly Violating the GLBA?

Forbes reports on the selling of personal information by the financial industry and new research by Carnegie Mellon University Prof. Lorrie Faith Cranor. She, along with her students, analyzed 3,422 financial institutions to better understand their data-sharing practices and to see whether they comply with the Gramm-Leach-Bliley Act (GLBA). Her research found that practices varied widely—including 27 organizations that violated GLBA regulations altogether, the report states. “There is really no way for a consumer to find the good banks,” Cranor said, “because you would never think to check all the privacy policies.” JP Morgan Chase Director of Public Affairs Steve O’Halloran said, “We post our consumer privacy notice on On this page, you’ll notice that customers can limit information that is shared with affiliates and non-affiliates.” [Forbes]

Health / Medical

US – Tiger Team Uncovers Skepticism of HIPAA Disclosure Rule

As the U.S. Department of Health and Human Services’ Office of Civil Rights prepares to finalize rules for accounting disclosures as part of the HITECH Act, the Privacy and Security Tiger Team (part of the Office of the National Coordinator’s Health IT Policy Committee) is surveying stakeholders, and the stakeholders aren’t thrilled. The disclosure rule allowing patients to ask for a report detailing all internal access to their records is “misguided,” says the American Hospital Association. The Confidentiality Coalition fears “frivolous lawsuits.” The National Association of Chain Drug Stores says there will be “enormous new burdens.” Comments are open through Oct. 25 if you want to chime in. [Government Health IT]

US – Healthcare Breach Case a Boon for Encryption?

A California appeals court ruled that the Board of Regents at the University of California can’t be held accountable for the loss of a hard drive containing the personal health information of more than 16,000 patients. The decision hinged on the hard drive being encrypted. Officials could not confirm the data was actually accessed. The report also notes that the case was decided under California’s Confidentiality of Medical Information Act, not HIPAA. Meanwhile, Fierce Health IT reports that the Government Accountability Office is pushing the Centers for Medicare & Medicaid Services to remove Social Security numbers from ID cards, noting that the inclusion “introduces risks to beneficiaries’ personal information.” [mHealth News]

Horror Stories

US – Laptop Thefts Result in Medical Breaches

A breach at California’s AMHC Healthcare where two laptops containing the personal health information of 729,000 patients were stolen. According to medical breach data kept by the U.S. Department of Health & Human Services, the breach is the second largest this year. [FierceHealthIT]. Seton Healthcare Family in Texas has also announced a breach involving a laptop theft.

WW – Adobe Breach Affected At Least 38 Million Users

The estimated number of registered Adobe products users affected by a recent breach of that company’s systems has been increased to more than 38 million. The breach was initially disclosed at the beginning of October. At that time, Adobe said that the attackers stole encrypted credit card information of three million customers. In addition to increasing the number of affected users, Adobe also said that the breach appears to have compromised source code for Photoshop. [KrebOnSecurity]

WW – Breach Roundup…

Meanwhile, the Department of Energy says the number of people affected by a breach resulting in stolen data in July 2013 is more than double the number it initially estimated. A new survey indicates two-thirds of U.S. adults wouldn’t return to a business if their personal data was stolen.

A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action. [Bank Info Security]

Hackers broke into database service MongoHQ using the compromised username and password of an administrator. The hackers made off with the data of a “limited number” of users. [eWeek]

In Missouri, Boone Hospital Center has begun notifying 125 patients that an employee working with an affiliated clinic may have accessed their personal information, including birthdates, Social Security numbers and medical diagnoses. [eSecurity Planet]

In Minnesota, Allina Health has started to notify patients that their personal health information was improperly viewed by a certified medical assistant. More than 3,000 patients were affected, though it is not believed the information has been used nefariously. The medical assistant has since been fired.

Insurance company Fidelity Life says a USB stick with sensitive data on about 1,200 clients was stolen from an employee’s car. The data included personal bank account numbers on people who had investments with a recent acquisition, Tower Health and Life.

In South Carolina, about 33,000 residents have enrolled in the state’s new identity theft protection service. Those eligible for protection had their data exposed in last year’s hacking of the state Revenue Department. A new study indicates that of 16 million victims of payment card information breaches in 2012, more than 25 percent were also victims of identity theft. The report found that retailers are the prime targets for payment card breaches, and that’s a trend that doesn’t look to be changing soon.

A recent data breach at Adobe impacted at least 38 million users, the company says. The stolen data was posted last weekend to Adobe has been contacting those who’s encrypted password information was stolen and urged them to reset their passwords [KrebsonSecurity].

Supermarket chain Schnuck Markets has recently agreed to a proposed class-action settlement following a breach involving 2.4 million credit and debit cards earlier this year. The chain will pay each affected customer up to $10 for each card hit with a fraudulent charge and $10 an hour for “up to three hours of documented time spent dealing with the breach.” [eSecurity Planet]

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. Attorneys say the settlement is “groundbreaking” and will likely “serve as a template for other plaintiffs in class actions over data breaches,” the report states. [Law360]

The U.S. Attorney’s Office has charged an alleged hacker in the UK with breaching thousands of computer systems in the U.S. and elsewhere. [Dark Reading]

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said.

Local law enforcement has opened an investigation into the theft of medical records from Northern Inyo Hospital in California. An employee in the hospital’s records department illegally obtained a patient’s medical file. The employee was subsequently fired. In the same state, the Legal Aid Society of San Mateo County is alerting patients of the burglary of 10 laptops containing personal data. The laptops were used by attorneys helping patients with healthcare services, and the data compromised may have contained medical data and Social Security numbers, HealthITSecurity reports.

In Florida, Broward Health is warning 960 patients about a data breach after a former employee stole their personal information. Wisconsin’s Memorial Hospital of Lafayette County has posted a notice on its website that it mailed 8,000 data breach notification letters after its third-party billing vendor accidentally sent their financial statements to the wrong people. In Virginia, two former nurse’s aides improperly accessed about 3,700 patients’ personal information in an identity theft scam, netting more than $116,000, The Virginian-Pilot reports.

An investigation by the Pittsburgh Tribune-Review has found employees or contractors committed more than 14,000 HIPAA privacy breaches since 2010, iHealthBeat reports. The breaches affected more than 100,000 veterans and more than 500 VA employees.

California’s Monterey County Department of Social Services has recently begun notifying residents that their personal data may have been exposed following access to the department’s computer by unauthorized users overseas.

An IT security vulnerability was found on News Corp’s major metropolitan websites in Australia, The Sydney Morning Herald reports. The details exposed include birthdate, e-mail address, number of children and household income.

PR Newswire is “conducting an extensive investigation” and has notified law enforcement over a breach earlier this year in which hackers broke into its networks, stealing usernames and encrypted passwords. The stolen data was recently found on the same Internet servers housing data stolen in an Adobe Systems breach, Krebs on Security reports, indicating the same party may be responsible for both breaches.

In South Africa, a variant of malware inserted into point-of-sale devices at South African fast-food outlets has cost local banks tens of millions, Mail & Guardian reports.

Following a probe by the UK Information Commissioner’s Office (ICO) into Panasonic UK’s data security policies, the company has agreed to strengthen its data security practices. The ICO will not serve an enforcement notice based on Panasonic’s plans.

Symantec Corp. is asking a federal court in California to toss out a proposed class action. The plaintiff in the case accuses Symantec of concealing a data breach and says the company is now raising “unavailing or scattershot arguments” in its aims to see the case dismissed.

Meanwhile, an article for CFO warns companies should do their due diligence before entering contract negotiations with cloud providers in order to avoid data-breach liability claims.

Identity Issues

US – Cali AG Releases Recommendations on ID Theft

California Attorney General Kamala Harris has released a report, “Medical Identity Theft: Recommendations for the Age of Electronic Medical Records,” that includes guidelines for the healthcare industry and insurers on preventing and remedying medical identity theft. The report focuses on the impact of identity theft on the accuracy of medical records and recommends that healthcare providers implement an identity theft response program, build awareness of the dangers and train staff appropriately, among other recommendations. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology,” said Harris. Accompanying the report is also a guide for consumers. [Report]

US – Mobile Devices to Become Identity Verifiers Thanks to Federal Grants

HID Global and two of its partners have received cybersecurity grants through President Barack Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative. The grants will be used to develop systems that will enable mobile devices to carry credentials for identity verification to improve consumer privacy among other things, the report states. Dubbed the NSTIC Key Team, the companies will enable mobile devices “to be used like smart cards to secure applications and networks for a leading social media company, a healthcare organization and the U.S. Department of Defense.” [Dark Reading]

US – Experian Subsidiary Sold Data to Underground Identity Fraud Site

An underground website that sold data that could be used to commit identity fraud appears to have purchased a significant amount of information from the US credit bureau Experian. The site,, sold Social Security numbers (SSNs), drivers license numbers, and financial data. Some of the data available on the site were obtained from a company called Court Ventures, which Experian acquired in March 2012. Court Ventures “aggregates, prepackages, and distributes public record data.” The data thieves operating Superget pretended to be a US-based private investigator to gain access to the data. [KrebsOnSecurity]

US – Brill to Headline “Reclaim Your Name” Event at NYU

Now that the partial government shutdown is over, FTC Commissioner Julie Brill can focus on her next public speaking event. She will headline NYU-Poly’s third Sloan Cybersecurity Lecture, “Reclaim Your Name: Privacy in the World of Big Data,” to be held October 23, with a speech she promises will be “pretty colorful.” In this exclusive for The Privacy Advisor, Brill previews her talk by saying companies are already responding to her call for data transparency and the ability to correct and suppress. “I look at Axciom’s AboutTheData website as a response to what I called for,” she said. “It’s not nearly full-blown Reclaim Your Name, but it’s a first step toward providing more transparency to consumers about data collection and use practices.” [Source]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law.” While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports . “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [EUObserver]

Intellectual Property

US –MPAA Publishes List of Top Filesharing Sites Around the World

The Motion Picture Association of America (MPAA) has released a report that lists major illegal filesharing sites around the world. Ironically, the MPAA has criticized Google for returning high numbers of filesharing sites in its search results, but now MPAA has provided an organized list of many of those sites. The MPAA report was created to provide the US Trade Representative with the names of “potential Internet and physical notorious markets that exist outside the US.” [WIRED] [MPAA’s Report critical of Google]; [MPAA’s Report on Filesharing Sites]

Internet / WWW

EU – Europe Aims to Lead With the Cloud

The European Commission has outlined plans for the EU to become a “world leading” cloud computing market when it comes to data protection. While the commission acknowledges U.S. surveillance revelations “aggravated” existing concerns about foreign cloud storage, it says calls for regional-only cloud storage would be “misguided.” “Trust can be restored with more transparency and the use of high standards,” the commission said. “A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential.” []

US — U.S. Group Lobbying to Prevent Cloud Mining in Europe

A U.S.-based group is lobbying for a code of conduct banning cloud providers from mining data and serving ads in European schools. Many schools across Europe use services such as Google Apps for Education, but some countries, including Sweden, have banned the use of U.S.-based cloud services because they do not comply with data protection law. SafeGov has released a report on the issue and is urging Europe to consider such a code of conduct. Meanwhile, The Guardian reports on how to manage data protection and disaster recovery in the cloud. [ZDNet]

Law Enforcement

US – City To Tighten Plate-Scanning Retention Limits

In response to an open records request, the Pittsburgh Parking Authority (PPA) will tighten its license plate scanning policy and regularly delete scanned photos from its database. Over the last eight years, the authority has taken millions of photos of parked vehicles and stored the data for up to 30 days in a database that potentially can be used to track a vehicle’s movement around the city, the report states. In a letter, PPA Executive Director David Onorato wrote, “This type of information will no longer be accessible, except with respect to vehicles that have outstanding parking tickets.” The Pennsylvania chapter of the American Civil Liberties Union applauded the move, with one representative saying, “It is really creepy when you can say, ‘You were at the Giant Eagle at such and such a time.’” [Pittsburgh Post-Gazette]

US – Aaron’s Settles FTC Charges That it Enabled Computer Spying

The Federal Trade Commission (FTC) announced that Aaron’s, Inc., has agreed to settle charges that it enabled computer spying on customers by its franchises. According to an FTC press release, the company is barred from using monitoring technology and must obtain consent before using location-tracking software. FTC Bureau of Consumer Protection Director Jessica Rich said, “Consumers have a right to rent computers free of cybersyping and to know when and how they are being tracked by a company.” In its Business Center Blog, the FTC details what businesses can learn from the settlement. [FTC]


WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Mozilla Developing GeoLocation Public Data Service

Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” “The data would be provided by cell towers, WiFi and IP addresses,” the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia. [PCWorld]

US – Federal Appeals Court Says Warrant Required for GPS Tracking

The Third US Circuit Court of Appeals has ruled that law enforcement officers must obtain a probable cause warrant before affixing GPS trackers to a suspect’s vehicle. The is the first appeals court ruling since the January 2012 US Supreme Court ruling in United States v. Jones that affixing a GPS device to a suspect’s vehicle constitutes a search under the Fourth Amendment. The justices did not rule on whether the search was unreasonable and thus required a warrant. This recent case, United States v. Katzin, involved a GPS device attached to the vehicle of a suspect in a series of pharmacy robberies. [ComputerWorld] [WIRED]


BA – Bahrain Cabinet Approves Draft Privacy Law

Gulf Daily News reports that during the cabinet’s weekly session, it gave its initial approval to a draft legislation that “aims to provide legal protection of personal privacy, which is a fundamental constitutional right.” According to Minister of State for Information Affairs and official government spokeswoman Sameera Rajab, the bill “includes the protection of digital data,” in order to “enhance public confidence in electronic transactions through the preservation and protection of personal data.” The cabinet has referred the bill to the ministerial committee for legal affairs and, according to the report, more details about it will available after it is discussed in the National Assembly.

Online Privacy

WW – Privacy Advocates, Online Ad Groups Still Doubt Do Not Track Talks

Privacy advocates and the ad industry agree on one thing: the Do-Not-Track (DNT) talks should end, but, the co-chairmen of the World Wide Web Consortium DNT working group announced that talks will continue. Network Advertising Initiative President Marc Groman, CIPP/US, said the NAI “remains concerned about the lack of progress and transparency in the working group as well as recent stories of arbitrary decisions,” but added, “we will continue to engage to ensure that there is a voice for third parties and digital advertising, small- and medium-sized businesses, the long tail of the Internet and frankly the consumer.” [The Hill]

US – DMA Calls for New Privacy Laws; Marketing Questions Persist

The Direct Marketing Association (DMA) is asking Congress “to overhaul privacy laws in order to protect companies’ ability to use data for marketing purposes.” The DMA’s requests include asking Congress “to invalidate state laws ‘that endanger the value of data’ and to prohibit consumers from bringing privacy class-action lawsuits,” the report states. On the subject of direct marketing, a Forbes report entitled “Kroger Knows Your Shopping Patterns Better Than You Do “ looks at one of the nation’s leading grocery store chains’ ad campaigns. Meanwhile, in a separate incident, a DMA e-mail campaign this weekend “reportedly hit more than 100 spam traps and e-mail boxes of some of the world’s most prominent anti-spammers.” [MediaPost]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [FB Announcement]

WW – Facebook Tests Software to Track Your Cursor on Screen

New software is being tested by Facebook to increase the site’s ability to collect great amounts of user information, including the tracking of a user’s cursor on screen. In an interview with The Journal, Facebook Analytics Chief Ken Rudin said the collected data could be added to the company’s data analytics warehouse. According to the report, Facebook can use the stored data “for an endless range of purposes—from product development to more precise targeting of advertising.” Currently, the company collects two types of data: behavioral and demographic. The new tests would expand Facebook’s ability to collect behavioral data, according to Rudin. [The Wall Street Journal]

WW – New Open-Sourced Browser Blocks Ads by Default

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote , “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward. [InformationWeek]

US – Sen. Schumer Backs Offline Do-Not-Track

We reported on Monday that the Future of Privacy Forum (FPF), along with nine analytics companies, proposed a retail store Do-Not-Track opt-out code of conduct, and on Tuesday, according to an FPF press release, the group received backing from Sen. Charles Schumer (D-NY). CNET News reports that eight out of the 10 major cellphone tracking companies have agreed to the code of conduct, including Euclid, a company that was questioned earlier this year by Sen. Al Franken (D-MN) about its tracking practices. The code requires stores using MAC address tracking technology to post conspicuous signs notifying consumers of the tracking and to offer a website where customers can opt out of being tracked. Schumer said, “This is a significant step forward in the quest for consumer privacy,” adding, “This agreement shows that technology companies, retailers and consumer advocates can work together in the best interest of the consumer.” [Source]

WW – The Economics and Future of Cookies

As the IAPP reported, cookies may be reaching the end of the road—but not with a whimper. Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites,” which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” [Wall Street Journal]

Other Jurisdictions

US – Senators Wants Answers on Student Data Outsourcing

Sen. Ed Markey (D-MA) wants to know how student information is being protected when it comes to data collection and analysis within the education-technology industry. Markey sent a letter to Secretary of Education Arne Duncan asking how K-12 schools are outsourcing the management and assessment of student data to technology vendor. “By collecting detailed personal information about students’ test results and learning abilities, educators may find better ways to educate their students,” Markey wrote. “However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children.” [New York Times]

AU – Australian Prof: Privacy Tort Can’t Do Everything

The Australian takes another look at the Australian Law Reform Commission (ALRC) inquiry into privacy law, highlighting comments by Prof. Barbara McDonald, the commissioner in charge of the inquiry. “The law cannot do everything–even if we have a statutory tort for invasion of privacy, it is not going to stop people invading privacy any more than a law against murder stops murder,” she said. McDonald has been asked to produce a detailed design for a privacy tort but “is also examining alternatives to a privacy tort that could fill the gaps in privacy law without the need for the creation of a new method of litigating,” the report states. Meanwhile, The Age reports on the Australian Internet Governance Forum’s examination of the question of the ALRC’s consideration of whether Australia should introduce its own “right to be forgotten.” [Full Story]

HK – Hong Kong PCPD Orders Company To Stop Supplying Data

“Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (PCPD) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application,” Lexology reports. The PCPD said the app, Do No Evil, “seriously invaded” those individuals’ privacy. Commentators, meanwhile, are accusing “the PCPD of threatening freedom of information, making inconsistent decisions and being technophobic,” the report states. [Full Story]

Privacy (US)

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]  

US – Warrantless Surveillance Law May Face Test in Criminal Case

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday , the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

US – Tips on Complying With COPPA While Still Making Money

Sara Hanlon, the CEO of a website targeted to kids and their grandparents, offers tips on how to meet the challenges of the newly revised COPPA while continuing to bring in revenue through your website. “While there are expenses associated with compliance, the complexity of the law and the thought of overhauling an entire business model are bigger issues,” Hanlon writes, noting that for some, “the law has created opportunities to innovate in order to continue to profit.” Tips offered by Hanlon include: Read and understand COPPA, don’t “assume your lawyer, developer or anyone else is handling this for you;” create a “parents area” on your site, and join an FTC-endorsed Safe Harbor Program, among others. [AdAge]

US – FTC: Ignore Privacy Principles at Your Own Peril

U.S. Federal Trade Commissioner Julie Brill warns the data broker industry that it must protect consumer data or face the consequences. Companies that ignore “basic privacy principles do so at their own peril,” she writes, but urges the industry to join a collective creation of consumer-friendly online services, an initiative she called Reclaim Your Name. Meanwhile, the FTC is mulling potential regulation of the emerging Internet of Things (IoT) market. Referencing a recent settlement with TRENDnet, Hogan Lovells writes that the agency may be taking a broader view of “sensitive data.” The FTC will host a roundtable on IoT next month. An earlier Privacy Perspectives post looked at some of the comments provided to the FTC by industry and advocacy. [AdAge]

US – SCOTUS Won’t Hear Privacy Lawsuit

The U.S. Supreme Court will not hear a privacy case against a division of Thomson Reuters Corp. on whether it can collect and sell information on drivers provided by state agencies. “The decision not to hear the matter represented a win for the commercialization of publicly available information, although U.S. law remains mixed on the subject,” the report states. The lawsuit alleged the practice violated the Driver’s Privacy Protection Act. Meanwhile, Bloomberg reports that a lawsuit claiming LinkedIn illegally mined its subscriber e-mail lists has been assigned to U.S. District Judge Lucy H. Koh—the judge who recently ruled the Google wiretapping case could go forward. [Reuters]

US – Expose of Experian Sparks New Questions About Data Brokers

Recent revelations that a company acquired by Experian may have sold personal data to a group of identity thieves has prompted an investigation by Sen. Jay Rockefeller (D-WV). The Experian report comes as Rockefeller and the FTC are both already investigating the data broker industry. In a letter to Experian , Rockefeller wrote, “if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data.” On Wednesday, FTC Commissioner Julie Brill called on Congress to enact legislation to regulate the data broker industry. [MediaPost]

US – TSA To Screen Passengers Before They Arrive at Airports

The Transportation Security Administration (TSA) is expanding passenger screenings by searching government and private databases for data on passengers—including car registrations and employment information—before they get to the airport. The TSA says the practice, which was revealed in documents released by the TSA under government regulations on data use and collection, aims to streamline the security-check process for travelers who don’t pose a threat. “I think the best way to look at it is as a pre-crime assessment every time you fly,” said a spokesman from The Identity Project. [The New York Times]

WW – IAPP Hits 14k Members, Expands Into New Space

The IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices. [Source]

Privacy Enhancing Technologies (PETs)

WW – Business Rx: Data Privacy Firm Wants to Sell to Consumers

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. ManageURiD, formed last year, is intended to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” [The Washington Post]


US – Former US VP Disabled Wireless Capability of Implanted Defibrillator

Former US vice-president Dick Cheney acknowledges that he had modifications made to his implanted defibrillator to prevent the device from being hacked. In 2007, Cheney had the device’s wireless feature disabled. [BBC] [The Register] [ArsTechnica]


US – NIST Releases Preliminary Cybersecurity Framework

After a short delay caused by the partial U.S. government shutdown, the National Institute of Standards and Technology’s Informational Technology Laboratory has released the Preliminary Cybersecurity Framework required under President Barack Obama’s executive order, “Improving Critical Infrastructure Cybersecurity,” of February 2013. NIST will shortly open a 45-day comment period on the preliminary framework, which will be posted here . Comments can be submitted at in Word or Excel format. The feedback is vital and at the top of the document NIST outlines the types of questions they’d like answered, including issues of cost-effective implementation and existing best practices. The practices described in the document are voluntary. Some are critical of voluntary standards because they in turn become the de facto industry standards, which means companies that suffer breaches could be found liable if they have not implemented the practices. Private companies operate most elements of the country’s critical infrastructure. The final version of the document is scheduled to be released in February 2014. [GovInfoSecurity] [CNET] [Bloomberg] [SC Magazine] [Draft Framework] [NIST]

US – Workarounds Put Brands at Risk

User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52% of healthcare workers globally use risky workarounds that are out of compliance with policy, and 66% find security protocols “burdensome.” This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. [The Privacy Advisor David Houlding]

UK – 66% of UK Organizations Lack Staff with Key Technical Cybersecurity Skills

Twenty-four out of 25 UK firms report not having the adequate security measures to battle cyber attacks and two-thirds report that the lack of staff with advanced technical skills is the cause. [Telegraph]

WW – Mobile Firefox OS Exploits at Conference In India Next Month

A teenager who has discovered a way to infect Mozilla Firefox mobile operating system with malware says he will remain silent about the exploit until a November summit in New Delhi, India. Shantanu Gawde developed malware that allows attackers to gain remote access to devices’ SD cards, transfer contacts, track locations, control radio functions, and upload and download pictures, music, and video. [SC Magazine]

Smart Cards

US – Loyalty Cardholders Concerned About Privacy

Privacy is a factor for consumers considering whether to join loyalty card programs. A Mintel survey has found 32% of consumers believe “privacy is an important attribute of any loyalty program,” the report states. The study also found that 13% of respondents were frustrated “with too much personal information being requested during enrollment” and 10% cited concerns about “a lack of control over the privacy of their information,” according to the report. Mintel’s Ika Erwina said, “Reassurance of privacy is undoubtedly a key strategic tool in loyalty program engagement, but there is a paradox at play here between personalization and privacy.”[Supermarket News]


US – NSA Admits Snooping on World Leaders’ Calls

The NSA has acknowledged that it snooped on phone calls of 35 world leaders, including German Chancellor Angela Merkel. The White House was unaware of the program until this summer; once it learned about the snooping, it was stopped. The WSJ story says that the surveillance decision was made at NSA and did not require approval from the president. According to other sources, US intelligence officials say that the State Department and the White House both signed off on the surveillance program. While it is possible that the president was not briefed on specific NSA operations targeting foreign leaders’ communications, the National Security Council and senior members of the intelligence community would be aware of the activity, according to an unnamed former US intelligence official. [The Wall Street Journal] [CBS News] [CNET] [Washington Post] [LA Times]

WW – Spying Fallout Continues; Countries Draft UN Resolution

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance. [The Guardian]

US – Report Says NSA Intercepted ISPs’ Data

Google and Yahoo are upset with a report that the NSA has secretly intercepted “large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers.” “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryptions across more and more Google services and links, especially the links in the slide,” said Google’s chief legal officer. Meanwhile, the American Civil Liberties Union says an FBI program that collects reports about suspicious activity lacks privacy safeguards. [The Guardian]

WW – After NSA Disclosure, Tech Giants Look to Increase Defenses

Days after the latest National Security Agency leak showing the agency had tapped the data centers of Yahoo and Google—allegedly without either company’s knowledge— many large tech companies, including Facebook and Twitter, have been spending time and resources bolstering internal networks to protect their consumers’ data. “What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital data,” the report states. ACLU Senior Analyst Chris Soghoian said some companies are taking steps to ensure “surveillance without their consent is difficult,” but added, “what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.” [The New York Times]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

WW – Schools Grapple With Cyberbullying and Privacy

Emerging social network monitoring systems are designed to survey publicly available posts of students and the corresponding issues around free speech and children’s privacy. Now that students’ cries for help and instances of bullying and threats can be found online, several companies are offering software to help schools detect such outbursts, but do schools have the legal right to do so? Several cyberbullying cases have made their way to federal courts. American Association of School Administrators Executive Director Daniel A. Domenech said of the issue, “It is a concern and, in some cases, a major problem for school districts,” adding that the line between school and student rights can be confusing. One school administrator is weary of such online technology, saying, “The safety and well-being of our students is our top priority, but we also need for them to have the time and space to grow without feeling like we are watching their every move.” [New York Times]

Telecom / TV

US – New TCPA Rules in Effect October 16

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) go into effect today. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines, according to a Covington & Burling client alert. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. In this Privacy Tracker exclusive interview, listen to TCPA expert Yaron Dori, partner at Covington & Burling, talk about what these changes mean for your organization and its practices, and hear advice on how best to comply. [Full Story]

US Government Programs

US – Top U.S. Intel Officials Testify; Relations Fray Further

Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive for The Privacy Advisor reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU. [Source]

US – The Feds: Data Brokers’ Next Big Customer

CNN reports on one commercial data broker “that tracks and stores the employment and salary information of millions of Americans” and its “big, new customer—the federal government.” The U.S. government is now using The Work Number, a database owned by Equifax that includes “54 million active salary and employment records and more than 175 million historical records,” in a pilot program aimed at determining eligibility for such benefits as food stamps, a World Privacy Forum report has found. The World Privacy Forum is pointing out privacy concerns, including that commercial databases such as this “do not have to meet the same strict privacy and accuracy standards that government-operated databases do,” the report states. [CNN Money]

US – Fordham Law Releases Privacy Curriculum for Middle Schoolers

Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93% of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids. More than a dozen U.S. law schools have signed on to the program. [Source]

US – US Defense Secretary Wants DOD to Step Up Data Protection

In a memo earlier this month, US Defense Secretary Chuck Hagel ordered the Defense Department to implement measures to protect unclassified controlled data from being accessed by hackers. He has ordered DOD’s chief information Officer and the undersecretaries of defense for acquisition, technology, and linguistics; policy; and intelligence to assess unclassified DOD networks to evaluate their vulnerability to attacks and develop strategy to mitigate those risks. Hagel also called for DOD, the NSA, and DISA to develop means to assess loss of technical data and the consequences of those losses; identify critical acquisition and tech programs that need stronger protection; and make sure they are being adequately protected. [Federal Times] [NextGov]

US Legislation

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – Lawmakers to Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland (R-District 92) said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – California Governor Vetoes Privacy Bill Again

California Governor Jerry Brown has once again vetoed legislation that would have required law enforcement authorities to obtain warrants before searching suspects’ electronic communications. Governor Brown said the bill would impede investigations and would impose requirements beyond those in existing federal laws. This is the third time he has vetoed the legislation. [ComputerWorld] [Governor Brown’s Memo Explaining Veto]

US – Are Class-Actions Becoming Too Big To Settle?

The Recorder looks at privacy class-actions through the lens of recent suits against Google over its Street View and Gmail services, questioning whether it’s possible that plaintiffs now have too much leverage. Classes comprising millions of people and statutory damages could mean cases, such as the Street View case, become too expensive to strike a deal, the report states. As U.S. District Court Judge Richard Seeborg said in a recent class-action over Facebook’s sponsored stories, because of the class size, “even a modest per-class member payment could easily require a total settlement fund in the billions of dollars.” The “too-big-to-settle” phenomenon is likely to grow as Internet companies add to their user bases, the report states. [Full Story]

US – Does the U.S. Have a De Facto National DPA?

Traditional thinking posits that the U.S. does not have a national data protection authority. “But tell that to Google. Or TJX. Or CBR Sytems. Or any of the dozens of other companies that have been pursued by the U.S. FTC over the past several years for alleged data security or privacy violations,” writes Steptoe & Johnson Partner Jason Weinstein. In this installment of Privacy Perspectives, Weinstein writes, “The FTC has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act,” and, thus far, “the FTC is batting a thousand…” Challenges from Wyndham Hotels and LabMD, however, “symbolize the frustration felt by many companies” that believe they have been victimized once by a breach and then again by the FTC. [Full Story]

US – Amendment Would Require EU Permission for U.S. Law Access

Lawmakers have introduced an amendment to the Data Protection Regulation being debated in the European Parliament that could require U.S. companies to seek clearance from European officials before complying with U.S. law enforcement requests for data, The New York Times reports. The amendment responds to U.S. NSA revelations and could be decided as soon as Monday, when the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote on amendments to the European data protection regulation. A coalition of U.S. consumer, privacy and public interest groups have written to European Parliament expressing support for the proposed regulation. Meanwhile, a European official said the proposed regulation will not modify Safe Harbor, though there has been widespread speculation over Safe Harbor’s future. Wilson Sonsini Goodrich & Rosati’s Christopher Kuner in Brussels told the Daily Dashboard that while Safe Harbor has always been controversial and that controversy has reached a fever pitch following the Snowden revelations, he “doubts very much it will really be suspended. I think what they will push for is to get some improvements … I think it’s more realistic that Safe Harbor will always have some utility.” [Full Story]

US – PA House Passes 911 Privacy Bill reports, that the Pennsylvania House has passed HB 1041, providing an exemption to the state’s Right-To-Know law for information that could identify a 911 caller. The bill is sponsored by Joe Hackett (R-Delaware), who noted, “the identity of the caller must be kept confidential to prevent cases of retribution against informants and to ensure the public has a sense of safety and privacy when reporting a crime or other emergency.” The bill now heads to the Senate.

US – Texas AG Seeks to Stop Dating Service’s Database Sale

Texas Attorney General Greg Abbott wants to stop the sale of an online dating service because of concerns about the personal information involved. filed for bankruptcy protection more than a year ago and is selling its assets, which include a 43-million member database—two million of whom are Texans. “The proper course is for and its bankruptcy trustee to seek the customers’ permission before selling their private information to a third party—and that’s exactly what our legal action asks the bankruptcy court to require before the case proceeds,” Abbott said. [KFYO]

US – Is DoJ Setting Up New SCOTUS Wiretapping Test?

The U.S. Department of Justice is potentially setting up, for the first time, a Supreme Court test of whether it’s constitutional to notify a criminal defendant that evidence against him came from wiretapping. Additionally, the department’s National Security Division is looking through closed cases to find other defendants who faced similar evidence that resulted from a 2008 wiretapping law—which allowed eavesdropping on suspects without a warrant when the communications crossed borders, the report states. Columbia University Law Prof. Daniel Richman said, “It’s of real legal importance that components of the Justice Department disagreed about when they had a duty to tell a defendant that the surveillance program was used … It’s a big deal because one view covers so many more cases than the other, and this is an issue that should have come up repeatedly over the years.” [New York Times]

US – A Model Bill to Put CPOs in State DoEs

Sheila Kaplan, independent education and information policy researcher, student rights advocate and EPIC advisory board member, has written a model bill that would install chief privacy officers in state Departments of Education (DoEs). Kaplan outlines the problems she sees with FERPA, the risks of not adequately protecting data held by DoEs and why tackling this problem at the state level makes sense. “Students deserve a true advocate for their rights in a data-driven environment that often places profit and corporate interests above the privacy rights of children and their families. Those who bear responsibility for student records need a reliable resource to help them manage their obligations.”. [Privacy Tracker]

Workplace Privacy

US – State Medical Board Releases Social Media Guidelines

The Rhode Island Board of Medical Licensure and Discipline has released a set of guidelines for physicians’ use of social media to help establish acceptable patient privacy interaction, Health IT Security reports. The board’s Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice sets standards for protecting patients’ privacy, avoiding online requests for medical advice, acting with professionalism and being transparent about one’s credentials and aware that posts could be publicly available. In a Privacy Perspectives post earlier this year, Indiana University Health Chief Privacy Officer Valita Fredland wrote about why healthcare providers should utilize social media. [HealthIT Security]


01-16 October 2013


CA – Groups Come Together Against Gov’t Surveillance

Georgia Straight reports that more than 20 organizations convened in Vancouver to launch the Protect Our Privacy Coalition, a group of “citizens, experts, organizations and businesses” that “have come together to defend our right to privacy based on a common statement of principle.” Micheal Vonn, policy director for the BC Civil Liberties Association, says the group was formed in response to indications that Prime Minister Stephen Harper plans to implement sections of Bill C-30 , commonly known as the online surveillance bill, and Executive Director Steve Anderson points to revelations about spying by Communications Security Establishment Canada. [Full Story]

CA – CIRA CEO: Local IXPs Can Help Avoid Snooping

The Canadian Internet Registration Authority (CIRA) initiative to create local Internet exchange points (IXPs) “where carriers and communications providers directly connect with each other to exchange traffic”—keeping that Internet traffic out of U.S.-based exchanges. CIRA President and CEO Byron Holland noted, “All the events coming out of the U.S. with the NSA and the PRISM program highlight that it’s a good idea to keep traffic in your own jurisdiction as much as you can.” Without local IXPs, he explained, “I could be sending you an e-mail from downtown Ottawa to another point in Ottawa, and there’s a 40%- chance that will go through the U.S.” [IT Business]

CA – Change to Adoption Law Raises Concerns

Under current adoption law in Quebec, if an adopted child would like information about a birth parent, there is a process whereby a youth and family service center contacts the parent to see if they’d be interested in meeting or communicating. Similarly, the center acts as a pass-through should a parent who has given a child up for adoption want to meet that child later in life. Under a new proposed reform, however, children and parents would have to register a “veto” against their identities being given out, otherwise the information would be distributed upon request. Privacy concerns have been raised because while adopted children will have their veto automatically registered when the law passes, parents would have just 18 months to register their veto or have their identities made available. [The Montreal Gazette]

CA – Manitoba Legislation Awaits Proclamation

Manitoba’s new privacy legislation, which received Royal Assent last month, now awaits proclamation. The province’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) “will establish rules for the collection, use and disclosure of personal information, including employee information, for most organizations in the province,” the report states, noting, “At this time, the federal government has not determined whether PIPITPA is ‘substantially similar’ legislation, such that it will replace the Personal Information Protection and Electronic Documents Act within the province.” [Financial Post]

CA – BC Celebrates 20 Years of FIPPA With Video, Conference

British Columbia’s Office of the Information and Privacy Commissioner played host yesterday and today to a two-day conference, Privacy and Access 20/20: A New Vision for Information Rights, designed to both celebrate the 20th anniversary of the passing of the Freedom of Information and Protection of Privacy Act and to look forward to new challenges in information access and privacy. In a column for the Vancouver Sun, and accompanying video, Commissioner Elizabeth Denham lays out “some of the challenges we never envisioned in the early days of privacy legislation.” [Full Story]

CA – Denham: BC Laws Must Be Modernized

In an op-ed for marking the 20th anniversary of the province’s Freedom of Information and Protection of Privacy Act, BC Information and Privacy Commissioner Elizabeth Denham looks at the history of the law and the areas where reform and modernization are needed. Denham suggests the Document Disposal Act must be modernized to address public demand for transparency and accountability. Additionally, she calls for the province to anticipate the challenges of this age of Big Data, adding the province “should be more concerned with the magnitude and frequency of privacy breaches and data spills in the public and private sector.” [The Vancouver Sun]

CA – Remembering Canada’s First Commissioner

Justice Inger Hansen, Canada’s first privacy commissioner, who passed away on September 28, is remembered in an obituary. Hansen, who was born in Denmark in 1929, visited Canada for the first time in 1950 and emigrated a few years later. Appointed as Canada’s first privacy commissioner in 1977, she was “responsible for complaints relating to privacy rights and data protection, a field in which she soon became an internationally recognized authority.” In 1983, Hansen was appointed as Canada’s first information commissioner, and she went on to an appointment to the Ontario Court of Justice in 1991. A memorial service is planned for late October. [Ottawa Citizen]

CA – Union Loses Bid to Keep Recordings out of Court

A major Quebec labour union has lost its bid to prevent the provincial corruption inquiry from hearing wiretap conversations involving its senior leadership. The taped conversations of the FTQ union were taken by police during an investigation. The inquiry will only use those parts of the conversations related to “professional functions” and will not focus on individuals’ personal lives. “We must find a balance between private interests, the right to respect for privacy and the public interest in the search for truth and public information related to the mandate of the inquiry,” the commission wrote in its ruling. [CTV News]


WW – MasterCard Study Looks At Human Nature Vs. Online Privacy

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” [The Washington Post] See also: [Forbes: U.S.-Style Personal Data Gathering Is Spreading Worldwide]


US – Yahoo Sued for Eavesdropping on E-Mail from Non-Yahoo Users

A complaint filed in the U.S. District Court for the Northern District of California alleges Yahoo violated California privacy and federal electronic communications laws by scanning nonusers’ e-mails in the name of targeted ads. The plaintiffs, who are not Yahoo users, allege Yahoo’s interception of messages sent to a Yahoo subscriber in order to profile, collect data and scan for keywords violates California’s Invasion of Privacy Act and the Electronic Communications Privacy Act. The complaint says the practice is “the type of behavior that the U.S. Congress and the California legislature has declared should not be tolerated in a free and civilized society.” [Bloomberg]

US – Harvard to Hold Meetings on E-mail Privacy Policy

A Harvard University taskforce will hold two meetings this month to collect feedback from students, faculty and staff on the school’s e-mail privacy policies. The move comes after fallout from revelations earlier this year that school administration officials covertly searched approximately 14,000 e-mails to find the leak that led to a cheating scandal. In addition to the two meetings, the taskforce has launched a discussion blog and has met several times over the summer to define “underlying principles and questions that it hopes to discuss with the community in the coming months,” according to a university statement, which added, “Among the principles: transparency about the realities of technology, the importance of fostering trust in the Harvard community and respect for the privacy interests necessary to ensure academic inquiry.” []

WW – Yahoo Webmail Gets Default SSL Protection in January

Yahoo has announced that starting on January 8, 2014, all Yahoo mail will be protected by SSL by default. Microsoft has offered optional SSL protection since 2010 and it has been default for Microsoft webmail since July 2012. Facebook implemented SSL for all connections several months ago; it has been an option since 2011. Twitter offered it as an option at the beginning on 2011 and made it default by August of that year. Google has had SSL on by default since 2010, an option since 2008. Yahoo began offering the option of SSL encryption earlier this year. [WashPost] [CNET] [Register]

Electronic Records

US – McAfee: “What Idiot Put This System out There?”

While some said the criticism of privacy protections in the Affordable Care Act’s implementation was political grandstanding, at least one noted cybersecurity guru is right there with them. In a scathing criticism of the technical implementation of the Affordable Care Act, John McAfee said it is a hacker’s “dream.” Because there is no central organization of the program, “anybody can put up a web page and claim to be a broker for this system … [and] it’s not something software can solve.” An unsuspecting person is likely to think a rogue website is real, deliver up Social Security number and various other intimate health details, only to discover the site is fake and built to steal identities. Retirees, McAfee predicts, will have their savings “wiped out in one day because [they] signed up for Obamacare.” [Full Story]


WW – Researcher Finds Encryption Flaw in WhatsApp

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown.” A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.” [Ars Technica]

US – Lavabit Founder Appealing Govt’s Order to Turn Over Encryption Keys

Ladar Levison, owner of the now-shuttered secure email service Lavabit, is asking the Fourth Circuit Court of Appeals in Virginia to rule that the government’s orders earlier this year demanding that the company surrender its private SSL keys were unlawful. Levison is hoping to reopen the business. While Edward Snowden has not been named in connection with the Lavabit case, it seems likely that it was Snowden’s communications the government sought when they demanded that Levison turn over the keys. Levison eventually relented, but shut down his company immediately after surrendering the keys, saying that he would rather shut down his business than be “complicit in crimes against the American people.” [WIRED] [NBC News]

WW – Lavabit Users Will Have Brief Window to Reset Passwords, Retrieve Data

Lavabit will reopen for a brief window of time to allow users retrieve their data from the company’s servers. Starting at 8 PM US Eastern time on Monday, October 14, users have 72 hours to change their passwords. Following that period, users will have a short window of time to retrieve an archive of their stored messages and account data. [CNET] [Engadget]

US – US Govt Demanded Lavabit Encryption Keys

Recently unsealed documents in a court case regarding secure email provider Lavabit’s appeal of a US government demand for information show that the government had ordered Lavabit to provide it with its SSL keys. The order reads, in part, “The court determines that there is reason to believe that notification of the existence of this order will seriously jeopardize the ongoing investigation.” Levison says he suggested logging Snowden’s communications, decrypting them and uploading them to a government server on a daily basis. But the government wanted the private SSL certificate used to encrypt all Lavabit traffic. He initially provided the encryption keys in hardcopy format, printed out as strings of numbers. When he was found to be in contempt of court for this action, being fines US $5,000 a day, he eventually relented and provided the government with the electronic keys but the immediately shut down his business. [ArsTechnica] [ComputerWorld] [WIRED] [ZDNet] [Register] [Pleadings Exhibits (Redacte)]

EU Developments

EU – Groups Lobbying “Furiously” Ahead of Oct. 21 Regulation Vote

The European Parliament’s vote on “the introduction of the harsh new Data Protection Regulation,” scheduled for October 21, suggesting it will place the “battle between Big Data and individual privacy” front and center. With such organizations as the World Federation of Advertisers and the Industry Coalition for Data Protection “furiously lobbying ahead of the vote, hoping for a lighter-touch regime to protect the interests of business,” the report notes that while this month’s vote is not the last step in the process, “it is a key step in determining the outcome.” [AdAge]

EU – Justice Ministers Support “One-Stop Shop”

European justice ministers on Monday agreed “in principle” to accepting a “one-stop shop” framework for organizations doing business within the EU. The rule would set up a system whereby businesses processing personal data of Europeans would report to one data protection authority instead of as many as 28. French officials had called for a joint decision-making panel among data protection authorities, but Irish officials strongly opposed the proposal. Both Google and Facebook have their European headquarters in Ireland. Lithuanian Justice Minister Juozas Bernatonis said the aim is “to ensure legal certainty and reduce the administrative burden.” EU Justice Commissioner Viviane Reding said the move will benefit the consumer: “A citizen who has a problem will address himself to his own data protection authority not, as is currently often the case, a foreign authority.” [IDG News Service]

EU – U.S. Safe Harbor, Australian Gov’t Actions Questioned

The European Parliament’s Electronic Mass Surveillance of EU Citizens Inquiry is discussing the EU-U.S. Safe Harbor data sharing agreement and has concerns about “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false“—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.” [Press TV]

UK – Privacy Groups Taking GCHQ to Court

Privacy advocates Big Brother Watch, the Open Rights Group, English PEN and Constanze Kurz have filed a legal challenge claiming GCHG’s “mass online surveillance programmes have breached the privacy of tens of millions of people across the UK and Europe,” The Guardian reports. UK MPs cleared GCHQ of any wrongdoing, and Privacy International has launched a case that will be heard by the Investigatory Powers Tribunal, but Nick Pickles of Big Brother Watch has said, “Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable in the courts for its actions.” [Full Story]

EU – Dutch Gov’t Wants Input on Cookie Rules Change

The Dutch government has introduced a proposal for a change in cookie rules and is seeking public input, Mondaq reports. The proposed amendment was introduced by the minister of economic affairs in May and is symbolic of the new way the Dutch government looks at cookies. It aims to exempt some cookies from rules in that if browsers allow users to actively configure settings, implicit consent may be an acceptable method, the report states. [Full Story]

EU – Will Regulation Create Euro-Only Cloud?

While the originally proposed EU Data Privacy Regulation did not include provisions to address cloud computing, several amendments have been added since. The New York Times reports that among those proposed, one bars transfers of data from EU to U.S. clouds without informed consent and another would require such transfers to come with a notification “to the data subject of such transfer and its legal effects.” EC Vice President Neelie Kroes says, “European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” and other EU regulators seem to agree, calling for the development of European clouds. But outside the EU, others question the effect of creating European clouds. [Full Story]

EU – Avoiding Breach Fines

With a new 24-hour breach reporting mandate in place for companies doing business in the EU, WatchDox Co-founder and CEO Moti Rafalin writes. “Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it and how they will prevent it from happening again,” adding, “With that kind of stringent reporting regulation on the books, it’s hard to imagine why any electronic communication service companies … would fail to do everything possible to avoid security breaches.” With potentially more strict breach mandates on the horizon within the proposed EU regulation, “the choice organizations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation,” Rafalin writes. [ITProPortal]

EU – Netflix Dutch Privacy Violations: Watchdog Finds Itself Unable to Bite

Online streaming service Netflix has been found in violation of Dutch privacy law, but the nation’s data protection authority is unable to take action because the company’s European headquarters is located in Luxembourg. If the company had been located in The Netherlands or outside of Europe, the regulator would have been able to take action. According to Dutch law, businesses need explicit consent from customers prior to processing data that can be directly or indirectly traced back to an individual. Sander Dekker, The Netherlands’ secretary of education, said, “Netflix gathers so much information of its customers that this can be considered extremely sensitive data … customers must give their express consent for that, which, in case of Netflix, they have not.” [ZDNet]

EU – Microsoft Asked by EU Privacy Watchdogs to ‘Improve’ Policies

European data protection regulators have asked Microsoft to tweak its Internet product policies as part of a formal probe into privacy issues. The Article 29 Working Party has “identified a number of areas where improvements are required,” according to a statement. “Microsoft was asked to send its response very shortly, explaining how and when it would implement” the recommendations. The regulators added they are confident that an agreement will soon be reached and indicated Microsoft has been cooperative during the investigation. [Bloomberg]


US – Justice Asks FISC Not to Allow Companies to Divulge Data Request Details

The US Justice Department (DoJ) has asked the FISC to deny a request from major technology companies, such as Google, Microsoft and Facebook, to publish additional details about requests for information they have received from the government. According to a September 30 DoJ filing, divulging the specific numbers of requests, and in some instances, the nature of the requests, would “be invaluable to our adversaries.” The companies expressed their disappointment, with a yahoo spokesperson noting that the decision “ultimately breeds distrust and suspicion – both of the United States and of companies that must comply with [their] directives.” [WashPost]


WW – Google Unveils Plans for User Names, Comments to Appear In Ads

Google plans to launch ads similar to Facebook’s “social” ads, which incorporate photos, comments and names of users. The changes were announced in the company’s revised terms of service last week. EPIC’s Marc Rotenberg said such ads unfairly commercialize Internet users’ images. Sen. Ed Markey (D-MA) has asked the Federal Trade Commission (FTC) to look at Google’s privacy changes, writing in a letter to the FTC that the policy raises questions about “whether Google is altering its privacy policy in a manner inconsistent with its consent agreement with the commission and, if the changes go into effect, the degree to which users’ identities, words and opinions could be shared across the web.” [Reuters]

US – Google Wins Dismissal of Suit Over Web Browser Cookies

Google has won the dismissal of a lawsuit that alleged it had violated computer users’ rights by slipping electronic cookies into their web browsers in the name of targeted advertising. Consumers sued in federal court alleging Google tricked their browsers into accepting the cookies. But U.S. District Court Judge Sue Robinson said in her opinion that users “didn’t demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act, the report states. [Bloomberg]

WW – Google Modifies Analytics In EU-Wide Privacy Concession

In a surprise turnaround, Google will begin offering data processing agreements to websites using Google Analytics in the EU, Iceland, Norway and Switzerland. Since 2011, Google has only offered the agreements in Germany, but after pressure from the Article 29 Working Party to make the agreements EU-wide, Google said in a statement, “Over the last few years, Google Analytics customers have asked us to offer data processing agreements that clarify how Analytics data is stored, used and secured. In response to this demand, we’re pleased to provide an optional data processing agreement to Google Analytics customers,” adding, so far, the agreement will only be available in English. The Dutch data protection authority (DPA) has not yet commented, but one privacy expert said the move is significant, adding, “It’s clearly the result of the close coordination of the different DPAs in this case.” Meanwhile, the U.S. Supreme Court has declined a Google Adwords privacy lawsuit. [IDG News Service]

US – Google Wants Wiretap Law Review Before Trial

Google has asked a federal judge for permission to take questions about federal wiretapping laws before a Gmail class-action advances any further. Multi-district claims over Google’s changes to its privacy policy last year have been combined into a single, massive class-action accusing the company of violating federal and state wiretapping, privacy and computer fraud laws. In a recent filing, Google said it wants questions about exceptions to the Electronic Communications Privacy Act answered by the Ninth Circuit before the suit moves forward. [Courthouse News Service]

Health / Medical

US – Texas HSA Tells Providers: Get Certified

The Texas Health Services Authority is encouraging HIPAA-compliance for providers and its call for providers to become privacy and/or security-certified. Citing the potential penalties at the state and federal level—including the Texas Medical Records Privacy Act’s authorization of fines ranging from $5,000 to $1.5 million per violation—the report highlights the authority’s efforts moving forward on a voluntary HIPAA compliance certification program authorized in a 2011 state law. The Health Information Trust Alliance is creating the certification recommendations .[HealthData Management]

US – Tiger Team Hears “Accounting for Disclosures” Testimony

At a hearing before the Health IT Policy Committee’s Privacy and Security Tiger Team on providing patients with information about access to their healthcare data. The hearing on the “Accounting for Disclosures” policy mandated by the HITECH Act included comments from various stakeholders. Patient Privacy Rights’ Deborah Peel “recommended that regulators require health IT developers to provide open access to logs that record every instance a patient’s digital health information is accessed or shared over a network,” the report states, while “doctors, insurers and software developers said such a policy is not feasible.” The committee is currently scheduled to meet October 9. [iHealthBeat]

Horror Stories

WW – Adobe Issues Security Updates for Reader, Acrobat, and RoboHelp

On Tuesday, October 8, Adobe released two security updates for Reader and Acrobat. The first update addresses a memory corruption flaw in RoboHelp 10 publishing software. The second update addresses a regression in Reader and Acrobat that affects Javascript security controls. Both updates are for Windows only. [Internet Storm Center] [SANS Bulletin] [SC Magazine] [CBR online] [InfoSecurity] [Reader and Acrobat]

WW – Attackers Steal Adobe Product Source Code and Access Customer Data

Hackers broke into Adobe’s network where they stole source code for a number of products, including Acrobat, ColdFusion, and ColdFusion Builder. They also accessed customer data, including account login credentials and nearly three million payment card records. The stolen data were stored on the same server used by the criminals who stole data from LexisNexis, Kroll, and Dun & Bradstreet. Adobe believes the attackers accessed the source code repository in mid-August. [Krebs] [CNET] [ArsTechnica] [BankInfoSecurity] Adobe Announcements: [Illegal Access to Adobe Source Code] [Customer Security Announcement] [Internet Storm Center:]

WW –2.9 Million Customers Affected by Cyber-Attack

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred,” said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.” [BBC]

WW – October Shaping Up to Be Month of Innumerable Breaches

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports , he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for, we round-up an already very busy month in data breaches and responses. [The Privacy Advisor] Amidst last week’s reports of a hack affecting 2.9 million customers, Adobe is resetting relevant customer passwords and “notifying customers whose credit or debit card information may have been compromised.” Meanwhile, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld reports on Microsoft’s recycling of old addresses . And from medical data to personal information, breaches are being reported across the globe. In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner’s Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff. In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period. And in the U.S., North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail, and Natural Provisions, a Vermont grocery store chain, has agreed to pay $30,000 to settle a violation of state data breach laws. [Mondaq]

US – School District, Health-Related Breaches Reported

A New Orleans teachers’ union claims the East Baton Rouge Parish school system violated its employees’ privacy rights when it purchased a full-page ad to congratulate—by name—1,113 educators, The Advocate reports. In Illinois, a local hospital is alerting some of its patients of a possible data breach after a laptop was stolen from an employee’s car. In California, a public health unit is notifying almost 600 patients that their protected health information has been compromised after a laptop was stolen there. And in Iowa, law enforcement is investigating a breach of electronic medical records after a third-party company gained access to the system using an authorized user’s password. Meanwhile, healthcare experts have been discussing concerns related to the need to share veterans’ healthcare data and recent breaches at Veterans Affairs. [Full Story]

Internet / WWW

US – Ad Groups Working on New Tech for Opt-Out

With the W3C’s efforts on Do Not Track moving along again with a call October 9, The San Francisco Chronicle details work by the Digital Advertising Alliance and the Interactive Advertising Bureau to develop technology that would allow consumers to opt out of online tracking “when methods other than traditional cookies are deployed.” The article focuses on a firm called BlueKai, which develops technology for data transfer independent of cookies, but with “the same transparency and notices that cookies have.” [Full Story]

US – Silk Road Bust Shows Feds Penetrating Deep Internet Anonymity

The bust this week of the notorious online entrepreneur Dread Pirate Roberts, now known to be Ross William Ulbricht, a 29-year-old from San Francisco, CA, and the closing of his Silk Road online marketplace for illicit drugs and other sundries, shows U.S. law enforcement is infiltrating ever deeper into the “Deepnet” or “hidden Internet.” Silk Road operated on the Tor anonymity network and was used by thousands to get home deliveries of everything from cocaine to fake passports. Because of Tor’s ability to shield IP addresses and online personas, it can be difficult to uncover the identities of those running these kinds of marketplaces that are hidden from the vast majority of Internet users. In this case, it may be that Ulbricht was undone by his use of a Gmail address. [CSO Online]

US – “Big Data” Likened to Atomic Power and Other NSA-Related News

A scientist suggests that Big Data is akin to atomic energy in that “it’s very beneficial when used ethically and downright destructive when turned into a weapon.” Meanwhile, in its ongoing series examining the digital trails we leave behind “and who potentially has access,” NPR considers whether the Fourth Amendment provides any protection. And a Tech Dirt feature focuses on 2013 IAPP Vanguard Award winner and former Department of Homeland Security (DHS) CPO Mary Ellen Callahan, founder and chair of Jenner & Block’s Privacy and Information Governance Practice. The report cites Callahan’s comments in support of protecting Americans’ privacy rights amidst what its author references as a “lack of respect for privacy in both (DHS) and the wider intelligence community.” [TechDirt]

Law Enforcement

CA – Police Consider Wearable Cameras

The Toronto Police Service is considering wearable cameras for its police force. The aim of the wearable cameras is to provide the police and the public with better accountability. Deputy Chief Peter Sloly said the force is in the process of researching the cameras and understanding the potential logistical factors. “We’ll have to look at the IT supports,” he said, “the governance—there’ll be privacy issues.” The cameras would potentially be worn on glasses to record incidents from the officer’s view. A representative from the Canadian Civil Liberties Association has expressed concern over the technology, saying that “if you have all these things on your databases, what are the other potential uses of this? Have they thought this through?” [The Globe and Mail]


US – Advertisers Finding New Ways to Track Mobile Users

New trends in mobile tracking—even if “tracking is a dirty word” now, according to Eric Rosenblum, COO at Drawbridge, a start-up that is “observing your behaviors and connecting your profile to mobile devices.” Thus, advertisers are now able to connect desktop browsing with mobile devices based on app downloads and other indicators. Other firms, like Flurry, Velti and SessionM are doing similar work in helping advertisers like Ford, American Express and Expedia better target potential customers, according to the report. For many advertisers, the report says, “cookies are becoming irrelevant.” [The Boston Globe]

WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Bolstering Brick-and-Mortar Transparency

Improved technology now allows brick-and-mortar retailers to collect data—including location and contacts—from customers’ smartphones, but according to research conducted by Create with Context (CwC), only 33% of the customers surveyed were aware of such collection. Previous research has revealed that when customers are unaware of such data collection—but then find out about it later—trust erodes. “How, then,” Ilana Westerman and Gabriela Aschenberger, both of CwC, ask, “can businesses create transparency around data collection?” [Full Story]

WW – App Tracks Consumers in Exchange for Discounts

A new shopping app tracks consumers and gives them discounts based on their location. Capable of detecting microlocation—detecting such minute details as the aisle of a store in which a consumer is standing—it communicates with the Bluetooth in users’ cellphones and alerts them to tailor-made discounts. The app’s investors and CEO “are betting on the fact that consumers won’t mind tracking if they get a significant payback from it,” the report states. The app raised $8 million in venture capital Tuesday. [Blouin News]

Online Privacy

WW – Facebook No Longer Lets Users Hide from Search

Facebook has announced the final phase of removing an old privacy feature from the site. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting. [USA TODAY]

EU – Privacy Group Receives Facebook Response

Privacy activist group Europe-v-Facebook has received responses from Facebook to complaints about the company’s privacy policy, but the Irish Data Protection Commissioner (DPC) said the group was barred from releasing them, Computerworld reports. According to the group’s website, however, the DPC has clarified its decision and will allow the group to publish the 200-page response. The group originally filed the complaints with Facebook two years ago, claiming the social network’s privacy policies violate European data protection law. “After two years of constant battling, we finally received the ‘counterarguments’ by Facebook,” wrote Europe-v-Facebook, which now has until October 17 to comment on Facebook’s responses. The DPC will circulate a draft of its decision in the case prior to publishing its final decision. [Full Story]

WW – W3C Do Not Track in Limbo

The W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month , said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. [The Privacy Advisor]

WW – W3C to Vote on DNT Effort

Web standards group the World Wide Web Consortium is set to vote Wednesday on whether it will continue with its Do-Not-Track (DNT) standard. Justin Brookman, the group’s newly appointed co-chairman, said he expects stakeholders “will express a desire to move forward,” adding, “We’ve had a couple of calls under the new leadership now, and so far the new structure seems to be working.” If the group expresses a desire to not move forward, Brookman said it would be “better to end it now than spend another two years squabbling and not coming to a resolution because people aren’t invested in the process.” The Washington Post reports that the increasing move by consumers to mobile will likely make current cookie-based DNT technology less relevant. According to several surveys, the majority of users now surf the web via mobile apps rather than browsers. [The Hill]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [Facebook]

US – DMA Releases Study Touting Data-Driven Job Production

The Direct Marketing Association (DMA) has released a study indicating data-driven marketing led to 675,000 jobs in the U.S. in 2012. The study responds to an increasing focus on regulating online tracking and data-driven marketing, a push that often puts the online ad industry on the defensive. The DMA’s Rachel Thomas said the study’s release aims to help change that. Meanwhile, the Better Business Bureau says “a ‘significant minority’ of publishers don’t follow self-regulatory rules requiring enhanced notice about data collection,” MediaPost reports. [The Hill]

US – Data-Mining App Receives $10M in Funding

Refresh, a mobile app mines data of individuals present at meetings by gleaning information from social networks and other publicly available sources, and how the app has just received $10 million in venture capital. Refresh founder Bhavin Shah said, “It’s common now for each of us to have 10-plus years of posts, tweets, job history, Q&A, check-ins, etc. Now is the right time to start leveraging that fragmented information to make us more thoughtful and intelligent about our friends, colleagues and everyone we meet.” He added that Refresh’s work “allows us to anticipate who you’re going to meet today and consolidate interesting information about them into a just-in-time dossier delivered to your smartphone.” [Fast Company]

Other Jurisdictions

AU – OAIC Releases Best Practice Guide for Apps

The Office of the Australian Information Commissioner (OAIC) has unveiled a guide to help mobile app developers embed better privacy practices into their products. Mobile Privacy: A Better Practice Guide for Mobile App Developers recommends developers use short privacy notices. Privacy Commissioner Timothy Pilgrim said app developers should adopt a Privacy-by-Design approach. “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust,” he said. A ZDNet report, however, suggests, “Short of enforcing privacy laws on app store curators, it is doubtful that the developers will implement the otherwise worthy privacy protections.” Meanwhile, the OAIC’s 2013 Community Attitudes to Privacy Survey, which will be released in full on 9 October, indicates six in 10 Australians choose not to use smartphones apps due to privacy concerns. [TechWorld]

AU – Gov’t Urged to Rewrite Terms of Reference

The federal government has been urged to rewrite the terms of reference for its inquiry into privacy law. The terms of reference were drawn up by former Attorney-General Mark Dreyfus and require the commission “to produce detailed plans for a privacy tort or statutory cause of action,” the report states. The commission is expected to publish an issues paper next week based on those terms of reference, the report states. In the last six months, it has become clear “the major threat to privacy is the role of the state,” said Media Entertainment and Arts Alliance Secretary Chris Warren, adding that large data aggregators are going to be a key issue moving forward. [The Australian]

ZB – Zimbabwe Passes Centralized SIM Card Database

The Statutory Instrument 142 of 2013 on Postal and Telecommunications (Subscriber Registration) Regulations 2013 establishes a central database of information about all mobile telephone users in the country based on powers granted through the Interception of Communications Act. The Statutory Instrument requires telecommunications providers to establish a subscriber database of all SIM card holders including phone numbers, names, addresses, genders, nationalities and passport or ID numbers, then regularly submit copies to the government, which will create its own central subscriber information database. [Kubatana]

Privacy (US)

US – Markey Urges FTC to Vet Tracking Technologies

Sen. Ed Markey (D-MA) has called on the FTC to investigate technologies that allow companies to track users across multiple devices. “Such persistent and pervasive tracking raises a number of important privacy concerns for all Americans,” Markey said in a letter to the FTC Thursday. Meanwhile, a new report from privacy researchers indicates many websites are using new technology to secretly track users’ browsing habits. At the EmTech 2013 conference in Cambridge, MA, this week, a senior advisor to Microsoft CEO Steve Ballmer said a new privacy model is needed to address the ways data is gathered, eWEEK reports. [The Hill]

US – Airbnb Says “Nay” to AG’s Request for Data

New York State Attorney General (AG) Eric Schneiderman demanded that apartment-sharing site Airbnb release user data on 15,000 New York City apartment hosts to investigate the legality of the site, but Airbnb has filed a motion in the New York State Supreme Court objecting to the AG’s demands. In a statement, an Airbnb spokesman said, “The subpoena issued by the attorney general last Friday goes well beyond bad actors and demands information about thousands of regular Airbnb hosts in New York. So, we made it clear to the attorney general’s office from the very beginning that we would never agree to this type of government-sponsored fishing expedition.” [Business Insider]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries,” MediaPost News reports. Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [Full Story]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Group Presses for Safeguards on the Personal Data of Schoolchildren

Common Sense Media is calling for the educational technology software industry “to develop national safeguards for the personal data collected about students from kindergarten through high school.” In a letter sent to 16 educational technology vendors, the advocacy group urged that student data be used “only for educational purposes and not for marketing products to children or their families.” Common Sense Media CEO James P. Steyer said, “We believe in the power of education technology, used wisely, to transform learning … But students should not have to surrender their privacy at the schoolhouse door.” [The New York Times]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at this week’s IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [Full Story]

US – Callahan Named Vanguard; Innovation Award Recipients Announced

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs. [Full Story]

US – Advocates Call for Open Talks, Warn NSA Weakening Cybersecurity

A group of privacy advocates is warning that attempts by the U.S. National Security Agency (NSA) to weaken encryption for surveillance access will create mistrust in U.S.-based Internet companies around the world. Alan Davidson, a visiting scholar at the Massachusetts Institute of Technology and former Google public policy director, said for U.S. businesses, it is “terribly debilitating and undermining to have the rest of the world thinking there have been backdoors built into their systems to help the U.S. government.” The developments will also erode trust in the U.S. National Institute of Standards and Technology because of reports the standards group aided the NSA in tampering with the standards. Meanwhile, six privacy advocacy organizations are calling on the U.S. House of Representatives Privacy Working Group’s leaders to open up its meetings with tech companies to the public. [PC World]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Eggers Book Satirizes Threat to Privacy

Dave Eggers’ book The Circle, satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times  wonders if the novel will change the way we use technology. [The Associated Press]

US – Student Data Repository Debate Continues

The New York Times reports on the ongoing questions surrounding school district plans to outsource student data storage and the privacy implications. The article focuses on how a Colorado superintendent saw nonprofit data repository inBloom as a fix for managing data currently in multiple databases in the cloud. But “a series of parents, school board members and privacy lawyers assailed the plan to outsource student data storage to inBloom.” Among those who voiced concerns was EPIC’s Khaliah Barnes, who said, “While we understand the value of data for promoting and evaluating personalized learning, there are too few safeguards for the amount of data collected and transmitted from schools to private companies.” The district is expected to decide on the plan by January, the report states. [New York Times]

US – Rosenthal Is NAI’s New General Counsel, VP

The Network Advertising Initiative (NAI) has announced that longtime member company representative Noga Rosenthal has joined the NAI as its general counsel and vice president of compliance and policy. Rosenthal, who was formerly the senior vice president of 24/7 Media and Media Innovation Group, LLC, “will assist the NAI in its core mission of reinforcing responsible business and data management best practices through the development and rigorous enforcement of high standards.” “With online advertising expanding every year and the role of third parties and the technologies they employ highly debated by lawmakers and industry representatives, it is an incredibly important time to be joining the NAI team,” Rosenthal said. [Ad Ops]

US – AGs: We Aren’t Afraid to Flex Our Muscles

Representatives from the offices of three state attorneys general (AGs) said they aren’t reluctant to bring actions against companies involved in data breaches. Vermont Attorney General William Sorrell said AGs would bring such action to “serve as an example to other companies and … to have a relatively equal playing field.” Joanne McNabb of the California AG’s office pointed to the recent creation of a privacy unit under California AG Kamala Harris as proof of privacy’s importance to the state. [Bloomberg]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries.” Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Cyber security: Privacy experts profit from Prism uproar

A burgeoning privacy-enhancing technology business and the rising profits is stemming from Edward Snowden’s surveillance disclosures. Businesses and governments, in addition to journalists, are demanding encryption services for protection. Silent Circle, which offers text and phone encryption services, is used by 16 of the Fortune 50 companies. Silent Circle CEO Mike Janke said, “We were growing 100% a year before the NSA/PRISM scandal; now we are growing at 400%.” He added, “Ten years ago, if you had encryption on a device, people asked what you are hiding. Now if you’re a businessperson and you don’t have it, people ask if you’re stupid.” Capital is also being invested in the privacy tech industry. All Things D reports that privacy startup Personal, which offers a digital vault service, has raised $4.5 million. According to USA Today, Yahoo will begin default encryption services in January. [Financial Times]


WW –Shortage of Cyber Security Professionals Felt Worldwide

Countries around the world, including the US, the UK, Brazil, and Indonesia, are establishing cyber forces to help defend critical networks from attacks. However, there are not nearly as many qualified specialists as are needed. The governments are also facing competition from private industry for the scarce resources; private industry offers higher salaries. Most universities are not graduating high numbers of students with necessary skills, and the coursework is more theoretical than practical. Hacking contests around the country are designed to identify people who have a talent in the area, and to raise awareness of the need for talented specialists. [NBCNews] [Japan Needs 80,000 Infosec Professionals]

US – Voluntary Exec Order Cybersecurity Standards Are Baseline Expectations

US companies that do not comply with voluntary cybersecurity standards being developed under the White House Executive Order could find themselves facing liability risks. While the standards will be voluntary, organizations that do not adopt them may face negligence, shareholder, and breach of contract lawsuits if they suffer a breach. The EO standards advise organizations to identify the most valuable data and classify them. The Information Week article points out that, “There is a major difference between being ‘compliant,’ and being ‘secure'” and that securing data is not an endgame – it’s a posture. Defenses built to protect the data must be monitored. The release has been delayed because of the government shutdown. The government will take public comment on the draft standards until February 2014. [Information Week] [ComputerWorld]

BR – Brazil Plans Secure Government eMail System

The Brazilian government has given the country’s Federal Data Processing Service (Serpro) the job of creating a secure email system to protect the government’s electronic communications from being intercepted by foreign intelligence agencies. According to leaked NSA documents, various intelligence agencies have electronically spied on Brazilian citizens, government officials, and the country’s national oil company, Petrobras. [CpomputerWorld]


US – Are Providers Outside the U.S. Safer from Gov’t Intrusion?

The National Security Agency’s (NSA) harvests hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world. Each day, the NSA collects contacts from about 500,000 buddy lists and web-based e-mail accounts, the report states. Meanwhile, Solicitor General Donald Verrilli has asked Supreme Court justices not to hear the Electronic Privacy Information Center’s case asking for an immediate shutdown of NSA phone surveillance of Americans. In San Francisco, tech company BitTorrent has owned up to defacing its own billboards in order to capitalize on privacy fears following NSA revelations. And a U.S. appellate court has unsealed a set of documents pertaining to Lavabit, whose founder resisted government pressure for access to it. Ars Technica says, despite NSA revelations, foreign e-mail providers may not be any safer from government intrusion than those based in the U.S. [Washington Post]

US – NSA Attempts to Crack Tor Are (Mostly) Unsuccessful

According to leaked documents, the NSA attempted to monitor targets using Tor by exploiting vulnerabilities in Firefox. NSA and its UK counterpart, GCHQ, have been trying for some time to crack Tor. Short for The Onion Router, Tor is an online anonymization service that helps users hide their identities and their online activity by routing encrypted traffic through other computers, which are volunteered by those machines’ owners. One of the attempts to break Tor involved infecting the computers of Tor users. The report indicated that the NSA has been unsuccessful in decrypting Tor communications but had managed to “de-anonymize a very small fraction of Tor users.” [BBC] [Guardian] [Schneier] [Ars Technica]

US – Privacy Fears Grow as Cities Increase Surveillance

Increased use by local law enforcement agencies of Big Data surveillance technology are raising corresponding privacy concerns. Particularly, the city of Oakland, CA, recently received $7 million in federal funding to help fight terrorism at its major port. The money, according to the report, is being used for a police initiative including the purchase of gunshot-detection sensors in East Oakland and license plate scanners in police cars. Federal money is also supporting similar initiatives within the New York Police Department, including a system that links more than 3,000 surveillance cameras with license plate readers, radiation sensors, criminal databases and terror suspect lists. Oakland City Councillor Libby Schaaf said “it’s our responsibility to take advantage of new tools that become available,” but added that the system could “paint a pretty detailed picture of someone’s personal life, someone who may be innocent.” [The New York Times]

Telecom / TV

US – New TCPA Rules in Effect

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) went into effect October 15. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. [Covington & Burling client alert]

US Government Programs

US – TSA’s “Pre-Check” Raising Concerns

The Transportation Security Administration (TSA) Pre-Check program, which is due to formally launch this fall, “will already have the enthusiastic endorsement of frequent travelers—and an equally enthusiastic denouncement from privacy advocates.” The Pre-Check “trusted travelers” program may allow enrollees to bypass airport security lines, but it has privacy advocates pointing out that even those who pay the fee to enroll have no guarantee they’ll be included and those who are excluded may not be told why. “If you sign up, you’ll want to keep your nose clean for the rest of your life,” noted the Center for Democracy & Technology’s Gregory Nojeim, “because that’s how long the FBI will keep your fingerprints.” [The Washington Post]

US – FISC Approves NSA’s Request to Renew Phone Metadata Collection

The US Foreign Intelligence Surveillance Court has reauthorized the NSA’s phone call metadata collection program. The previous authorization order expired on October 11. News of the reauthorization was disclosed in a press release from the Office of the Director of National Intelligence. [ArsTechnica] [The Hill] [DNI Press Release]

US – Judge: Intelligence Director Withheld Docs Properly

A federal judge has ruled the director of national intelligence properly withheld documents related to how his office uses databases to fight terrorism. The Electronic Privacy Information Center filed suit in Washington, DC, after obtaining documents via a Freedom of Information Act request with the Office of the Director of National Intelligence on how the National Counterterrorism Center gets information from other federal agencies, the report states. Meanwhile, Director of the National Security Agency (NSA) Gen. Keith Alexander said the NSA must regain consumer and industry trust . In an opinion piece for Aljazeera America, Dan Froomkin opines that what’s needed is not promises from politicians but a public discussion of what privacy means in this new era. [Courthouse News Service]

US – General Alexander’s Scope of Influence Raises Concerns

NSA Director General Keith Alexander also heads the US military’s Cyber Command. Some have expressed concern about Alexander’s dual roles. The Brookings Institute’s Peter Singer said that it “blurs the lines between a military command and a national spy agency.” Alexander defends the breadth of his influence, saying, “We all operate on the same network. You create more problems by trying to separate them and have two people fighting over who’s in charge.” Jason Healey director of the Atlantic Council’s Cyber Statecraft Initiative said. “We’re allowing the same commander to tell us how bad the problem is and propose and implement solutions to fix it.” [WashPost]

US – Proposed Legislation Would Reform Foreign Intelligence Surveillance Court

Two US legislators are sponsoring a bill that would reform the Foreign Intelligence Surveillance Court (FISC). The proposed legislation is a companion bill to one introduced in the Senate earlier this year. Among its provisions are the creation of an Office of the Constitutional Advocate to argue for civil liberties during court proceedings and a requirement that the Attorney General declassify or summarize certain FISC decisions. [WashPost]

US – NSA Admits to Cellphone Location Data Gathering Pilot

The NSA has acknowledged that in 2010, it initiated a test project to collect wholesale cellphone location data on regular citizens, but ended the program in 2011 because it did not provide “operational value.” NSA director General Keith Alexander said on Wednesday, October 2, that sample cellphone location data were collected “to test the ability of [the NSA’s] system’s to handle the data format, but that data was not used for any other purpose.” Alexander had evaded answering a question about the subject last week in a hearing. Senator Ron Wyden (D-Oregon) suggested that there is still “significant information” that has not been disclosed. [WashPost] [Register]

US – More Privacy Victims of the Govt. Shutdown

Groups tasked with U.S. intelligence oversight have suffered a setback at the hands of the U.S. federal government shutdown. According to a Politico report, the five-member Review Group on Intelligence and Communications Technologies, the independent surveillance oversight board created by President Barack Obama to respond to criticisms of the National Security Agency’s activities, met with Congressional intelligence leadership on Tuesday, but member Michael Morell, former director of the CIA, declined to take part, saying it was inappropriate in light of the shutdown. Then, on Friday, the Review Group’s staff was furloughed by the Office of Director of National Intelligence James Clapper. The volunteer board is free to meet, but all travel funds, etc., are frozen. Similarly, the Privacy and Civil Liberties Oversight Board was supposed to hold a public hearing Friday on proposals for changing surveillance programs but postponed the session because witnesses were unable to appear. Roughly 70% of the intelligence community in the U.S. is currently on furlough. Meanwhile, some are questioning why the FTC, for example, has chosen to cut off all access to its website during the shutdown. [Full Story]

US Legislation

US – Citing “Failure of Oversight,” Patriot Act Author Sponsors Reform Bill

US Representative James Sensenbrenner (R-Wisconsin), who authored the original Patriot Act in the days following the September 11 attacks, is displeased with how the legislation has been used to justify the NSA’s data harvesting programs. Sensenbrenner is introducing legislation with co-sponsors Senator Patrick Leahy (D-Vermont) and Representative John Conyers (D-Michigan) to try to address concerns over how the law has been used. The USA Freedom Act restricts aspects of the Patriot Act’s controversial section 215 so it will be used more narrowly, in line with the original intent of the law. The bill also introduces changes to the FISC, including creating the position of public advocate to appeal court decisions that appear to violate the law, and allowing companies that have been served with the orders to specify the number of FISA orders and NSLs (national security letters) they have received and complied with. [WashPost]

US – White House Pursuing Online Privacy Bill

Now 18 months out from President Barack Obama’s unveiling of a proposal for a Privacy Bill of Rights, Politico reports that the White House is actively working on legislation that would “boost online privacy safeguards for consumers.” According to the report, the bill would define privacy rights, convene further multistakeholder approaches to defining standards and give the FTC authority to enforce codes of conduct. The Commerce Department is helping to draft the legislation, according to the report, and Rep. Lee Terry (R-NE), chairman of the House Energy and Commerce Subcommittee, has been approached about helping to shepherd the bill through Congress. The Internet Association, Direct Marketing Association and others are lining up to make sure their voices are heard. Urgency is lent by continuing NSA revelations, such as today’s news that the National Security Agency used a Firefox flaw to target users of the anonymous Tor network. [Full Story]

US – CalOPPA Introduces New Disclosure Requirements

On September 27, Gov. Jerry Brown signed into law California Assembly Bill 370, which amends the California Online Privacy Protection Act requiring businesses to disclose how they respond to Do-Not-Track (DNT) signals. The new law, which may effectively apply to any website or mobile app in the world, is the first to officially address the DNT mechanism endorsed by the Federal Trade Commission and debated by industry. While the disclosures required under the new law appear straightforward, they present formidable compliance challenges for covered businesses given that they mandate the implementation of standards and concepts that are not well settled in law or practice. [Full Story]

US – California Continues to Shape Privacy and Data Security Standards

With news that Gov. Jerry Brown has signed into law the first Do-Not-Track (DNT) legislation in the country, it’s clear that California is once again out in front of privacy law here in the U.S. The Hogan Lovells Privacy Team analyzes how California has led the way in the past, where the state is likely to head and what you need to know about the new DNT legislation and the way it’s likely to be implemented. [Privacy Tracker]

US – Montana Gun Owner Healthcare Privacy Law Goes Into Effect

As of October 1, healthcare providers—including psychological practitioners—are no longer allowed to ask patients about gun ownership, possession or use. HB 459, now Montana law at 50-16-108, M.C.A., aims to address gun owners’ concerns that medical records could be used to collect and centralize information about gun ownership. [Fairfield Sun Times]

US – DoJ, Oklahoma Rep. Considering Drone Regulations

A new report from the Office of the Inspector General (OIG) recommends that the Department of Justice look into creating rules for law enforcement’s use of drones. The OIG’s recommendation follows an audit of drone use by the FBI, Bureau of Alcohol, Tobacco, Firearms and Explosives, Drug Enforcement Administration and U.S. Marshals Service. Meanwhile, Oklahoma Rep. Paul Wesselhoft (R-Moore) is teaming up with the American Civil Liberties Union to come up with privacy laws surrounding the use of drones by the government. [The Verge]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach. [Mondaq]

US – Telemarketing Rules Go Into Effect this Month

The Federal Communications Commission telemarketing rules go into effect on October 16. The rules require companies to gain express consent before calling consumers with prerecorded messages or “robocalling” wireless numbers, the report states. Consent must be written and include the number and signature of the consumer. While an electronic signature is acceptable, the agreement must also state that consent is not required “as a condition of purchasing any property, goods or services.” [Privacy and Security Matters]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [The Privacy Advisor]

US – Revenge Porn Law Doesn’t Go Far Enough: Opinion

On Tuesday, Gov. Jerry Brown continued California’s trailblazing in privacy law by signing into law the country’s second “revenge porn” law (New Jersey was first), “levying possible jail time for people who post naked photos of their exes after bitter breakups.” However, writes Emily Bazelton, the bill doesn’t go far enough. “It makes it a misdemeanor offense to post revenge porn only if a prosecutor shows that the poster intended to inflict emotional distress, rather than treating the act of posting a sexual photo without consent as an objectively harmful invasion of privacy. And the punishment wouldn’t apply if the subject of the photo took the picture herself, which means it wouldn’t help people whose exes persuaded them to hand over photos as a sign of trust.” [Slate]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach.[Mondaq]

Workplace Privacy

WW – Report: Most Breaches Come From the Inside

A new report reveals that the most common cause of a data breach within an organization stems from inadvertent misuse of data by employees. Conducted by Forrester Research, the report, Understand the State of Data Security and Privacy , surveyed organizations from Canada, France, Germany, the UK and the U.S. with two or more employees. Approximately 42% of small- to medium-sized organizations surveyed had received some sort of internal data protection training. Forrester Analyst Heidi Shey, author of the report, said, “A lot of organizations haven’t invested in a dedicated privacy group or function,” and many IT departments have privacy as an extra layer, adding that, moving forward, organizations may conclude they need a dedicated privacy group. Meanwhile, startup Lookout is stepping into the bring-your-own-device arena by offering an app that bolsters smartphones against data breaches. [PC World]




16-30 September 2013


US – Homeland Security Testing Facial Recognition At Hockey Game

The Department of Homeland Security will test facial recognition software capabilities at a September 21 hockey game in the state of Washington. The Tri-Cities Toyota Center can seat 6,000 fans. Twenty specific faces will be sought by the technology, called the Biometric Optical Surveillance System (BOSS). A privacy impact assessment in 2012 found the technology was capable of capturing images of an individual from 50 to 100 meters away and can be set up to track an individual as he or she moves. Fans will be allowed to opt out and sit in an area without cameras; no names will be collected, and only government researchers will see the images, the report states. [Computerworld]

WW – Facedeals to Use Facial Recognition for Targeted On-Site Advertising

Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—”ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal? [MarketingLand]

US – Franken Wants Answers on Fingerprint Passwords

Sen. Al Franken (D-MN) is concerned about the fingerprint swipe password feature on Apple’s latest iPhone release. In a letter to Apple CEO Tim Cook, Franken wrote, “Passwords are secret and dynamic; fingerprints are public and permanent … If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints.” Franken asked Cook to answer questions on how fingerprint data will be protected and with which third parties it may be shared. Meanwhile, a group of hackers in Germany say they have successfully hacked the fingerprint feature. Full Story


CA – OPC Encourages Parliament To Review PIPEDA

With a new parliamentary session scheduled to begin in October, Sébastien Gariépy, spokesman for Industry Minister James Moore, has said “he could not confirm that the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) would be reintroduced by the Department of Industry.” An Office of the Privacy Commissioner spokesman noted, “Much has changed as the years have passed, and the commissioner believes Canadians need far stronger protections than what is being proposed with respect to data breaches. Our office would again encourage parliamentarians to proceed with a second review of PIPEDA.” [Bloomberg BNA] SEE ALSO: [Stoddart: PIPEDA “Really Doesn’t Do Anything”]

CA – Resurfacing of Photo Highlights Lack of Control

A photo of a deceased teen girl turned up in third-party dating ads on Facebook, highlighting “how little control anyone has over any image once it gets out into the Internet sphere,” says technology and law Prof. Robert Currie. “It really seems to me to be an unfortunate accident that is causing a lot of grief … But it’s just the kind of thing that is going to happen,” says Currie. The company posting the ad used an image scraper to get the image, according to its administrator. Facebook has banned the company, saying the ads are a “gross violation” of its policies. [The Canadian Press]

CA – Advertisers Offering Consumers Choice

The Digital Advertising Alliance of Canada (DAAC) has announced a program to allow consumers “to control whether they want to receive targeted advertising messages.” Canadians will soon begin to see an “Ad Choices” icon in this offshoot of a movement that began in the U.S. and later spread to Europe. The DAAC hopes to educate consumers about how they are targeted, while the Office of the Privacy Commissioner has said it is “pleased that the advertising industry is taking action on this issue … the use of online behavioural advertising has grown dramatically and we are concerned that Canadians’ privacy rights are not always being respected.” [The Globe and Mail]


US – Study: Consumers Favor Companies That Let Them Opt Out

A recent TRUSTe study has found that 62% of consumers will do more business with a company that gives them the option to opt out of online behavioral advertising. The study, which polled 1,171 U.S. Internet users, also found that 53% of consumers are more willing to click on an ad that gives them the option to opt out and that users feel more positive about the business behind an ad if the Digital Advertising Alliance’s AdChoices icon is displayed, indicating a growing awareness of the tool. [Truste Consumer Data Repoert]

US – Survey Results Indicate Companies Should Compete on Privacy

A survey shows “40% of companies use customer information collected online for targeting purposes and 88.5% of chief marketing officers (CMOs) expect this practice to increase over time.” Another report suggests data hoarding can be a drag on business , presenting dangers including potential legal issues surrounding the requirements to protect the data a company possesses. The CMO study indicates marketers “have very low levels of concern about how the use of online customer data infringes upon privacy.” Considering this in the context of a Pew survey where 86 percent of respondents indicated taking “steps to remove or mask their digital footprints,” the report suggests companies should compete on privacy. [Forbes]

WW – The Privacy Paradox for Bank Loyalty Programs

A recent survey of 6,000 individuals belonging to loyalty card programs across the U.S. queried respondents to classify certain types of targeted marketing as “cool and exciting” or “creepy and weird.” Respondents to the Maritz Loyalty Marketing survey on average enrolled in 7.4 loyalty programs, with 1.8 connected to a credit or debit card. Card program categories included retail, grocery, hotel, airline, entertainment and financial services. Respondents over the age of 50 tended to get more “creeped out” by use of their personal data than younger individuals even when special benefits were transmitted. The marketing function that received the highest “creepy” rating stemmed from reviewing Facebook posts of friends to determine rewards eligibility. [American Banker]

US – Acxiom to Create ‘Master Profiles’ Tying Offline and Online Data

Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. [Financial Times]


US – DOE Now Says July Breach Affected 53,000 People

The US Department of Energy (DOE) has updated information about a July data breach that compromised employees’ personally identifiable information. DOE now says that the breach affects 53,000 current and former employees, contractors, and dependents. The information compromised includes names, Social Security numbers (SSNs) and birth dates. The attacker or attackers exploited a known vulnerability in an unpatched ColdFusion system called DOEInfo. The department’s investigation indicates that the theft of the personal information “might have been the primary purpose of the attack.” DOE will notify all affected individuals within the next two weeks. [InformationWeek][DOE Cyber Incident Information]


WW – Email Surveillance Could Reveal Journalists’ Sources, Expert Claims

Creator of the email encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine. ]Full Story]

US – App Maps Users’ Lives Via Inbox Scanning

An app built by a group of MIT researchers that visualizes users’ social lives by looking at their e-mail inboxes. Immersion uses timestamps and the to, from and CC fields to draw a map of the user’s social connections. It offers users a look at Big Data and the “digital exhaust they’re continually leaving behind,” said MIT’s Cesar Hidalgo, adding it’s a particularly useful perspective following revelations of NSA surveillance measures. The app does allow users to delete data upon logout. “If I am able to withdraw my money from my bank account, I should be able to withdraw my data from my e-mail provider,” Hidalgo said. [WIRED]

US – Problems Surfacing with Reassigned Yahoo Accounts

Some people who obtained reassigned Yahoo email addresses are receiving personal messages meant for the prior account holder. Some of the messages contain sensitive personal information, such as data about other accounts, emailed receipts, and appointment and travel confirmations. Earlier this year, Yahoo said it would begin reassigning email addresses and Yahoo IDs that had been inactive for more than a year. A company representative said that before reassigning the identifiers, they attempted to contact the account owners in several ways. Yahoo said they would unsubscribe the dormant accounts from newsletters and alerts and notify “merchants, ecommerce sites, financial institutions, social networks, email providers, and other online properties” that the account no longer exists before reassigning the name. [BBC] [CNET] [InformationWeek]

US – Users Sue LinkedIn Over Harvesting of E-Mail Addresses

A new lawsuit against LinkedIn has been filed by four users who claim the professional networking site accessed their e-mails without consent and used the harvested addresses of their contacts to spam non-users with invites to the service. In one claim, the suit alleges LinkedIn is “breaking into” external e-mail accounts pretending to be the user, but no details are offered. In response, LinkedIn has released a blog post refuting the claims. In separate class-action news, a Politics in Minnesota report details the mounting data protection lawsuits being filed against the government after one case resulted in more than $1 million worth of settlements from illegal government access to driver’s license records. [The New York Times ]


US – NSA Defeats Internet Encryption

According to documents leaked by Edward Snowden, the US government has spent more than US $10 billion over four years on the Consolidated Cryptologic Program. The documents also show that the NSA has used its influence to insert encryption weaknesses in currently used standards; used a variety of techniques – including hacking – to acquire cryptographic keys from various technology companies; and in some instances, broke into targeted machines to intercept messages before they were encrypted. [NYTimes] [ArsTechnica]

WW – Google Will Send All Searches Over SSL

Google is now sending all searches over secure sockets layer (SSL). Google has been using SSL to protect Google account holders’ searches since 2011. SSL encrypts connections between users’ computers and Google, which means that ISPs, Wi-Fi hotspots, and Internet cafes cannot intercept searches conducted through Google. Users’ search results will be protected, but their search terms and the fact they that they visited may not be protected. [SCMagazine]

US – RSA Warns Customers Not to Use Cryptography with NSA Backdoor

RSA Security has sent an advisory to some of its customers, urging them to stop using a cryptographic component that has been revealed to contain an NSA backdoor. Two of the company’s products, the BSAFE toolkit and Data Protection Manager, use the specification, known as Dual EC_DRBG, by default. RSA recommends that customers using the affected products switch to a different pseudo random number generator (PRNG). [ArsTechnica]

EU Developments

EU – Reports Call for EU Cloud, Student Data Protection

A report commissioned by the European Parliament that suggests the EU-U.S. Safe Harbor Framework does not protect against U.S. interception of European citizen data processed in the cloud and “urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance.” Meanwhile, a report, “shows broad support for safeguarding especially vulnerable cloud user populations in public organizations, such as schoolchildren, civil servants and healthcare professionals and their patients, who are at risk of being tracked and profiled for online advertising purposes.” A U.S. lobbying group is proposing a code of conduct to prohibit “user profiling and data mining by cloud services used by European schools.” [Fierce Government IT]

EU – MEPS: Stop TFTP Agreement in Its Tracks

European politicians have demanded that a broad data-sharing agreement between the U.S. and EU be suspended. The demands to halt the Terrorist Finance Tracking Program (TFTP) at a recent hearing of the Civil Liberties Committee follow allegations that the U.S. National Security Agency illegally tapped banking data, the report states. “We have no evidence that they have actually been doing this, but they don’t deny it either. So in a way it is irrelevant whether they have used the opportunity so far, because they will continue to reserve that right in the future,” said Dutch MEP Sophie in’t Veld, adding she considers the agreement to be “effectively dead.” [PCWorld]

EU – MEPs Hear US Privacy Experts, Whistleblowers And Snowden Statement

At the fourth hearing of the Civil Liberties Committee inquiry into U.S. and EU countries surveillance of EU citizens, MEPs discussed the possibility of suspending EU-U.S. trade talks, creating international standards and the need for parliamentary oversight of surveillance activities. In a statement read aloud, whistleblower Edward Snowden said “the surveillance of whole populations … threatens to be the greatest human rights challenge of our time.” A former Microsoft executive has said he no longer carries a cellphone and only uses open-source software if he can check the underlying code. Meanwhile, at an event this week, U.S. Supreme Court Justice Antonin Scalia reportedly suggested the Fourth Amendment protects personal items, “not privacy, per se.” Meanwhile, a former NSA contractor and graphic designer has created four fonts that he claims cannot be analyzed by systems used to monitor online communications. [EuroParl]

EU – Lawmakers Accused of Rushing EU Data Protection Law

“Industrialists and diplomats have accused MEPs of rushing through data protection laws that they say would boost their electoral chances more than Europe’s economies.” At an event in Brussels, policymakers and industry representatives clashed over the EU draft regulation’s timeline, the report states, citing comments by the European Commission’s Paul Nemitz indicating companies that value their customers’ needs will not have issues with the new rules. “If you are operating cross-borders, your life is likely to become easier. Why? Because in the future, we’ll have one law in form of a regulation rather than 28 implementing laws based on a directive and we will have a consistency mechanism,” Nemitz said. [EurActiv]

EU – Dutch IT Trade Org Objects to Proposed Breach Notification Legislation

A trade organization representing IT companies in the Netherlands is objecting a proposed law in that country requiring technology companies to report security breaches. Nederland ICT says that Dutch companies are already required to report breaches to several organizations and that the new legislation would just create more administrative work. The draft legislation affects select industries that are part of the country’s critical infrastructure and aims to clarify notification requirements for those companies that experience breaches. The government says the bill intends that only severe breaches must be reported, but Nederland ICT says that if the bill becomes law, companies are likely to start reporting all breaches. [ZDNet]

EU – MPs Give Data Harvesters “Green Light”

Members of Parliament are giving companies that harvest personal data from Internet-connected devices “the green light … prompting disquiet over Parliament’s commitment to protecting consumer rights.” The House of Commons Culture, Media and Sport Committee noted in a report, “Increasing use is being made of personal data to target online advertising better … While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models—represents the greatest threat to privacy.” Consumer and privacy advocates caution, however, that consumers are losing control of their data, the report states. [Full Story]

EU – Google and Facebook Face Tougher EU Tax and Privacy Rules

France is pushing for the EU to adopt proposals that would see technology companies such as Google and Facebook regulated and taxed where customers use their websites. The proposals “could put Europe at loggerheads with the U.S., which has previously reacted angrily at attempts to impose greater regulation on the Internet.” Fleur Pellerin, France’s digital economy minister, said the campaign does not target American companies—though they are the ones on top, currently—but aims to “boost the ability of European actors to develop in Europe and gain positions that can compete on the same level playing field as the other international actors.” [Financial Times]


US – NSA Program Monitors Credit Card Transactions

The U.S. National Security Agency’s (NSA) “Dishfire” program collects information on credit card transactions from 70 banks worldwide. The NSA targets transaction information from large credit card companies such as VISA and MasterCard on customers in Europe, the Middle East and Africa, the report states, adding that credit card data and related text messages made up 84% of NSA financial database Tracfin in September 2011. [Der Spiegel]

US – CFPB Guidance: Fraud Reporting Won’t Breach GLBA

The Consumer Financial Protection Bureau (CFPB) has issued new guidance informing banks it’s their responsibility to report instances of suspected fraud of senior citizens and, according to the CFPB, reporting such exploits will not contravene the Gramm-Leach-Bliley Act. Bank tellers and other financial employees “can be instrumental in reporting such fraud,” said CFPB Director Richard Cordray, because they are familiar with the customers who may be exploited, The Wall Street Journal reports. [Source]


WW – Tech Giants Ask 21 Countries to Release Surveillance Data

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same. [The Hill]

US – Microsoft Releases Data on Government Requests for Information

Microsoft’s most recent Law Enforcement Requests Report details the number of requests for information it received from governments worldwide in the first half of 2013. Based on that number – 37,196 – Microsoft looks to be on track to receive roughly the same number of requests it did in 2012, when it received just over 75,000 requests. The report breaks down the requests by country, and indicates the company’s response to the requests. Microsoft provided non-content user data for 77 percent of the requests, while it provided customer content for 817, or 2.2 percent, of requests. The US government made 7,014 requests affecting 18,809 accounts. The report does not provide information about US national security requests. [ComputerWorld] [ZDNet] []


US – NIH Seeks Comments on GDS

The National Institutes of Health (NIH) is calling for comments following the publication of its draft Genomic Data Sharing (GDS) policy. The GDS, which applies to all NIH-funded research, “details the need to strip all data of names, Social Security numbers and other identifiers before uploading,” the report states, noting de-identified data is then required to be coded at random to protect privacy. “All data is subject to NIH’s desire for widespread sharing,” according to the report. [FierceBioTechIT]


EU – French Data Protection Agency May Fine Google for Privacy Violations

France’s data protection agency, CNIL, plans to fine Google for failing to comply with that country’s privacy requirements. Google was warned of the fines in June; the company was given three months to amend its privacy policy to clarify its collection and use of user data. The issue centered on Google’s decision to combine 60 services under a unified policy that allows the company to merge data from its different products, such as Gmail, YouTube, and Google+. The concern is that some users may not want their data connected in this way. Google maintains that its current privacy policy respects EU privacy laws. [WashingtonPost] [ComputerWorld] [CNET]

US – Google’s eMail Scanning May Violate Wiretap Law

A US federal judge in California has ruled that a lawsuit brought against Google for violating US wiretap law may move forward. The lawsuit alleges that Google violates the law when it scans email messages. Google maintains that it scans all emails that pass through its servers to check for spam as well as to create user profiles and provide targeted advertising. Google was seeking to have the lawsuit dismissed under a portion of the wiretap law that allows email providers to intercept messages if the action helps the message get delivered or is incidental to the efficient functioning of service. US District Judge Lucy Koh wrote in her decision, “the statutory scheme suggests that Congress did not intend to allow electronic communication service providers unlimited leeway to engage in any interception that would benefit their business models.” [Washington Post] [WIRED]

Health / Medical

US – Obama to Reinforce Privacy in Affordable Healthcare Act

The Obama administration is seeking to bolster privacy protections for Americans signing up for the federally mandated Affordable Healthcare Act. To help stem identity theft, personal privacy protection and fraud, the administration plans to launch a toll-free telephone number to report fraud incidents and an online verification system. Attorney General Eric Holder met with Department of Health and Human Services Secretary Kathleen Sebelius and FTC Chairwoman Edith Ramirez to discuss the privacy and security implications of the impending law. Concern has also been expressed about counselors—also called navigators—who are set to educate and help Americans enroll in the health exchanges. A House Committee report stated, “There are already reports from across the country that scam artists are attempting to impersonate navigators and assisters to steal credit card information and personally identifiable information in order to take advantage of massive confusion about Obamacare.” [Reuters]

US – Data Privacy Tests Needed, GOP Lawmakers Say

House and Senate Republicans have introduced legislation that would delay enrollment in the healthcare exchanges under the Affordable Healthcare Act until it is confirmed that robust data protection standards are in place. Sen. Orrin Hatch (R-UT), a sponsor of the Trust But Verify Act, says the Government Accountability Office must verify that data privacy safeguards are in place. “It would simply be irresponsible to open the exchanges without adequate safeguards to protect and secure consumers’ personal information,” Hatch said, adding, “While the administration claims that these safeguards exist, there is simply no way to verify these claims absent an independent review.” [The Hill]

US – Grace Period Ends for Updated HIPAA Rule Compliance

As of September 23, 2013, US organizations that handle protected health information must abide by updated Health Insurance Portability and Accountability Act (HIPAA) rules. The changes were established in 2009 and took effect in March 2013, but organizations were given a six-month grace period that ended this week. Among the new rules are a requirement that business associates of organizations covered by HIPAA must be in compliance with the rules’ security and privacy measures, and new restrictions on covered entities’ marketing and sale of personal health information. [SC Magazine]

US – HHS Releases Model HIPAA Privacy Notices

The Office for Civil Rights, in collaboration with the National Coordinator for Health Information Technology, has released three model privacy notices to help providers comply with the Health Insurance Portability and Accountability Act (HIPAA), according to a U.S. Department of Health and Human Services press release. The three new notice of privacy practice models were constructed out of input from “consumers and key stakeholders” and include the recent changes in the HIPAA Omnibus Rule. The three options include notice in the form of a booklet, a layered notice and a text-only version. [HHS]

US – HHS Launches Meaningful Consent Site for Providers

The Department of Health and Human Services (HHS) has launched an online resource to help healthcare providers “effectively engage patients” in choosing how they want their electronic health information shared. The site provides strategies and tools to help educate patients. “As patients become more engaged in their healthcare, it’s vitally important that they understand more about various aspects of their choices when it relates to sharing their health in the electronic health exchange environment,” said the chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology. [HHS]

US – Omnibus Rule Kicks In, Four Compliance Steps for BAs

In light of the implementation date of the HIPAA Final Rule on Privacy and Security, there are four steps that business associates (BAs) need to take to comply with the update. For covered entities, the effects “are mostly incremental because the compliance structure remains unchanged,” but for BAs, the change “raises the risks of noncompliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities,” making them subject to government fines and civil penalties, the report states. Meanwhile, a new study reveals there is increasing confidence in cloud technology among healthcare policy decision-makers. [Government Health IT]

US – OCR’s Rodriguez Says Increased Enforcement Ahead

The Office for Civil Rights Director Leon Rodriguez said there will be increased enforcement of HIPAA regulations, highlighted the importance of appropriately protecting patient privacy and discussed the “what-not-to-dos” regarding healthcare privacy. “Today is a critical day for the Omnibus,” Rodriguez said. “On the one hand, you have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he noted, adding, “But at the same time, you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.” [Government Health IT]

US – US Food and Drug Administration to Regulate Some Medical Apps

The US Food and Drug Administration (FDA) will impose the same regulations on certain mobile medical apps as it does on medical devices. The apps affected are those that perform the same functions as medical devices, like blood pressure monitors. According to the FDA, “If a mobile app is intended for use in performing a medical device function [such as diagnosis, cure, mitigation, treatment, or prevention], it is a medical device, regardless of the platform on which it is run.” Apps that log and track trends would not be subject to regulatory oversight. [NextGov] [FDA Document on Mobile Medical Applications]

US – DEA Cites Third Party Doctrine With Prescription Data Case

An argument submitted by the Drug Enforcement Agency (DEA) in response to an American Civil Liberties Union (ACLU) lawsuit over the privacy of certain medical records. According to the DEA, citizens who share medical records with pharmacies—or any other third party—have “no expectation of privacy” regarding that data. According to a blog post, ACLU Attorney Nathan Wessler wrote, “Just because we trust our doctors and pharmacists with our medical information, doesn’t mean the DEA should be able to easily access it too.” [The Verge]

US – Sensor Network to Track Seniors Launched

A new product designed to track the activity of seniors living on their own. The system, created by Lively, consists of various sensors strategically placed around a home that report movements—such as refrigerator or medicine cabinet doors being opened—to a base station connected to an app. The system aims to let concerned guardians know if individuals are taking their medicine and moving around the house. “This is not ‘Big Brother’ monitoring,” said one of the company’s founders, adding, “Lively’s passive sensing tracks just enough information to interpret meaningful activity that shows how you’re doing without sharing too much.” [TechCrunch]

Horror Stories

US – Underground Identity Theft Site Hacked Data Aggregators

An underground website that trades in identity theft data reportedly gathers information by breaking into computers at major US data aggregators. The site, SSNDOB, sells Social Security numbers (SSNs), birthdates, and other personal data. Network analysis showed that SSNDOB administrators were also operating a botnet that had infiltrated servers at LexisNexis, Dun & Bradstreet, and Kroll Background America. [Krebs] [The Register]

WW – Data Broker Hackers Also Compromised NW3C

Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned”  from data breach incidents. [Krebs on Security]

Identity Issues

US – NIST Awards Grants for Development of Trusted Identity Systems

The US National Institute of Standards and Technology (NIST) has awarded more than US $7 million in grants to five organizations to develop systems for online identity protection and verification. The grants are part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). [Information Week]

AU – Australia Bar-Scanning Bill Raises Red Flags

An Australian bill is being considered that would require patrons of venues in Sydney’s Kings Cross to have their identity scanned and stored to monitor and enforce entrance bans on individuals who have committed serious crimes. The legislation would enforce ID scanning at 35 “high risk” venues and would collect names, dates of birth, addresses and photographs. Australia Privacy Foundation’s Roger Clarke said, “The measure doesn’t only affect the targeted individuals, it represents a serious imposition on all patrons of the venues that the government brings within its scope.” [The Guardian]

Intellectual Property

US – Copyright Attorney Suing Record Label Over Automated Takedown Notice

Harvard Law School professor Lawrence Lessig is suing an Australian record label that attempted him to sue him for copyright infringement. The matter involves a lecture given by Lessig that is available on YouTube. The lecture is in fact about the need for copyright law to be adjusted for the Internet. In the lecture, Lessig uses a clip from a song to which the Australian record label holds the rights. However, the company backed down after Lessig invoked the fair use legal doctrine. Lessig then sued the company for initiating a bad-faith lawsuit. Lessig filed the suit because he believes music labels should stop depending on automated systems to detect possible infringements and send takedown notices. []

EU – Spain Approves More Stringent Anti-Piracy Law

Spanish Legislators have approved new anti-piracy laws that punish even those who link to pirated content for either “direct or indirect profit.” People found guilty of piracy could face up to six years in prison for aggravated circumstances. [ArsTechnica]

US – MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools

The Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and several major US ISPs plan to pilot an anti-piracy program in California’s elementary schools. The curricula, which are adapted for each age level from kindergarten through sixth grade, were created by the California School Library Association and the Internet Keep Safe Coalition working with the Center for Copyright Infringement, which counts executives from MPAA, RIAA, and several large telecommunications forms among its board members. A draft of the program suggests that using other people’s works without permission is worse than copying someone’s answers on a test. Those helping to develop the curriculum stress that it is still in draft form. [WIRED]

US – MPAA Says Search Engines Should Do More to Prevent Piracy

The Motion Picture Association of America (MPAA) has released a report indicating that search engines need to make a more concerted effort to help fight piracy. The report comes just as the Commerce Department is considering ways to help private sector companies fight piracy. The MPAA’s report said that Google’s recent changes to its search algorithm have not had an effect on piracy. [WIRED] [LATimes] [Politico] [MPAA]

US – Netflix Monitors Piracy Sites to Determine Content to Buy

Netflix acknowledged that it tracks activity on known piracy websites to help it decide which movies and television programs to purchase for its online streaming service. Some others in the industry have noted that there can be an up side to piracy. According to the creator of “Breaking Bad,” piracy helped keep the show alive. Initial broadcasts of the show garnered few viewers, but once circulated through piracy, the show gained a following. A Time Warner executive suggested that the same is true of the “Game of Thrones” series. [BBC]

US – AT&T Issues Piracy Warning to Customers

AT&T is warning its customers that if they are found to be engaging in Internet piracy, their Internet access could be severed. The warning, which came in the form of a letter, is part of the company’s implementation of the so-called “six strikes” anti-piracy policy. The letter says the illegal activity “could result in mitigation measures including limitation of Internet access or even suspension or termination.” Several years ago, AT&T reportedly said it would terminate users’ accounts only upon receipt of a court order. [ArsTechnica]

Internet / WWW

WW – Is This the End? DAA Withdraws from W3C Process

In a letter sent to Jeff Jaffe, CEO of the World Wide Web Consortium, the Digital Advertising Alliance (DAA) announced that it is withdrawing “from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable ‘Do-Not-Track’ (DNT) solution.” Instead, the DAA says it is convening its own DNT process, beginning almost immediately, for evaluating “how browser-based signals can be used meaningfully to address consumer privacy.” That process “will be a more practical use of our resources than to continue to participate at the W3C,” wrote DAA Executive Director Lou Mastria. In this exclusive for The Privacy Advisor, we look at what’s next for the DAA, how the DNT process fell apart and whether legislators and the Federal Trade Commission are about to get involved.  [Full Story]

WW – W3C Not Ready to Give Up the Ghost

The World Wide Web Consortium (W3C) has announced the appointment of two new chairs for its Tracking Protection Working Group (TPWG). Carl Cargill, a director at Adobe, and Justin Brookman, from the Center for Democracy & Technology, will join incumbent Matthias Schunter, principal at Intel. This exclusive for The Privacy Advisor explores the new priorities for the W3C’s TPWG and insight from Brookman on what’s next for the multi-stakeholder process. [Full Story]

WW – With DNT, What Next for Policymakers?

In what can be perceived as a rollercoaster week for the World Wide Web Consortium’s Do Not Track (DNT) working group, IAPP VP of Research and Education Omer Tene asks if the appointment of the Center for Democracy & Technology’s Justin Brookman and Adobe’s Carl Cargill can save the process. “Hopefully, all sides will work together to pursue an agreed-upon solution, since an implosion of the process, which seemed inevitable on Tuesday as the Digital Advertising Alliance announced its departure from the group, would cast a long shadow over the prospects for multi-stakeholder resolutions to the burning privacy problems of our time,” he writes. In this post for Privacy Perspectives, Tene explores what’s next for DNT and the policymakers working on such a resolution. [Full Story]]

WW – Study: Whois System’s Privacy Controls Being Abused

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information. [ZDNet]

Law Enforcement

CA – Police Pledge Adherence to Privacy Guidelines

Hamilton police have agreed to follow Ontario’s privacy guidelines for the use of video surveillance. The newspaper had previously revealed the police department’s video surveillance program appeared to be “violating provincial guidelines designed to protect the public’s privacy, and this had been the situation for years,” the report states. Deputy Chief Ken Leendertse announced new policies to comply with the provincial guidelines and promised an annual report reviewing the program “and its effectiveness according to the privacy commissioner’s ‘Section 4’ criteria, which deal with demonstrating an ongoing need for surveillance and proving the effectiveness of the tool,” the report states. [The Spectator]


WW – Usage-Based Car Insurance Raises Privacy Concerns

A new study out of the University of Denver reveals that pay-as-you-drive insurance plans may pose a potential privacy risk for drivers. Though insurance companies do not collect location data with these plans, the research found that driving habits, including speed, braking and acceleration, mileage and time of travel have the potential to reveal a detailed portrait of a driver’s movement within a specific time period. According to the research paper, “Customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risk.” [Source]

US – New Offline Tracking Methods Come to Airports

Recent reports have detailed retailer tracking of shoppers via smartphones and other mobile devices, but the practice has extended to some airports, according to Covington & Burling Partner Nigel Howard in a recent post for InsidePrivacy. The offline tracking systems aim to follow passenger patterns, detail real-time movement of travelers and track retail behavior by using a unique identifier system. Though these systems provide several benefits, Howard writes, “they also raise privacy issues that might not fit neatly into the notice-and-choice framework that—notwithstanding the FTC’s recent efforts—still is the predominant model of privacy protection in the U.S.” [InsidePrivacy]

US – Apple Wants Class-Action Status Denied

Apple says iPhone users suing the company for allegedly allowing app developers to access personal information shouldn’t be able to proceed with a class-action lawsuit. In the case, consumers claim Apple misled them by sharing their devices’ unique identifiers with app developers after promising to protect their personal information. But Apple says consumers haven’t presented “a shred of evidence that even a single app transmitted ‘personal information.’” The company is asking U.S. District Court Judge Lucy Koh to reject the plaintiffs’ request for class-action status. [MediaPost News]

Online Privacy

WW – Google May Ditch ‘Cookies’ As Online Ad Tracker

There are rumours of a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future. [USA TODAY]

US – Industry Reacts to Google Cookie Alternative

The ad industry is reacting to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. [Wall Street Journal]

US – Facebook Hires Privacy Pro as New Deputy Counsel

Facebook has hired Ashlie Beringer, a partner at California firm Gibson Dunn and co-chair of the law firm’s information technology and data privacy practice group, as the company’s new deputy counsel. Beringer will report to Facebook General Counsel Colin Stretch, “who was promoted from deputy to take the social network’s top legal job in June after long-running GC Ted Ullyot left the company.” Beringer will run Facebook’s legal department’s litigation, regulatory and product groups. She will begin at Facebook November 18. [TechCrunch]

US – Court Says Facebook “Like” Is Protected

The Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff who said he was fired for “liking” the Facebook page of a man running for his boss’s position. Chief Judge William Traxler, Jr., said in the ruling, “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the user ‘likes’ something, which is in itself a substantive statement.” However, the report cautions, “The decision may not protect social networkers who press the ‘Like’ button with abandon” as the First Amendment “primarily protects individuals from government action,” one expert notes. [MarketWatch]

US – Tumblr Inks Deal With Analytics Biz

Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.” [TechCrunch]

Other Jurisdictions

AU – New Australian Privacy Principle Guidelines Released for Comment

The second stage of Australian Privacy Principle (APP) guidelines have been released for public comment. APPs one through five were published in August, and this next set addresses “new requirements for agencies in how they use or disclose personal information, undertake direct marketing activities and send data off-shore,” according to Privacy Commissioner Timothy Pilgrim. Noting specific concerns related to APP 8, Pilgrim said, “These new requirements provide a compelling business case for organisations to protect their business when planning to send personal information overseas.” The Office of the Australian Information Commissioner will accept submissions until 21 October. [ComputerWorld]

AU – Commissioner To Release Mobile Guidelines

Australian Privacy Commissioner Timothy Pilgrim plans to release new mobile privacy guidelines for app developers next week, and the guidelines will focus on third-party data sharing. Pilgrim has been consulting with industry and advocacy groups since draft guidelines were released last April. Pilgrim noted that app developers can expect more scrutiny of app industry privacy practices from regulators and the marketplace itself, the report states. The new guidelines are expected to be released next Monday. [IT News Australia]

SG – New Data Protection Guidelines for Singapore

Singapore’s Personal Data Protection Commission has issued new data protection guidelines for businesses operating in the country. Failure by consumers to opt out can signal consent to process data in certain circumstances, according to the new 18-page guidance note. The guidelines have been published to complement the Personal Data Protection Act—introduced in January and which goes into effect next July. One technology law expert said, “With the issuance of these advisory guidelines, the whistle has blown for organizations to kick off their compliance programs if they have not done so.” [Out-Law]

SA – South African President to Sign Data Protection Bill

The Protection of Personal Information Bill has recently passed in Parliament and will soon be signed into law by the president, report attorneys for Edward Nathan Sonnenbergs. The bill brings South Africa in line with international data protection laws, the report states, granting citizens the right to privacy when it comes to organizations collecting and processing their personal information by mandating compliance with eight conditions, including accountability, purpose specification and security safeguards. [Mondaq]

US – Experian Buys Fraud Detection Firm for $324 Million

Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication. [Reuters]

Privacy (US)

US – FTC Reaches Settlement With Company Over Unsecure Webcams

The FTC has reached a settlement with a company whose webcams lack adequate security. Trendnet cameras contain vulnerabilities that allow anyone online to view the devices’ feeds. Under the terms of the settlement, Trendnet may not refer to the cameras as “secure” in marketing materials. Trendnet must notify customers of the security issue, provide help to make the devices more secure, and undergo third-party security audits every two years through 2033. (The incident reported last month in which a stranger hurled obscenities at a Texas couple and their toddler through the webcam they were using as a child monitor involves a device from a different company.) [CNN] [The Register] [BBC] [Washington Post]

US – FTC’s Jessica Rich Lays Out Ambitious Ad Enforcement Agenda

FTC Director of Consumer Protection Jessica Rich remarks to the advertising community in New York City. “The FTC has long had a focus on national advertising,” she said. “We’re by no means finished.” Specifically, Rich noted the agency will step up enforcement in the digital arena, including mobile advertising disclosures. “This will be an area of increased law enforcement in the coming year,” she said. In addition to the “numerous privacy concerns” in the Big Data sphere, Rich said, “The NSA and Snowden incidents have done a lot to raise awareness about the collection of consumer data,” adding, “Consumers should be able to expect basic privacy and security protections.” [AdWeek]

US – FTC Files Complaint Against LabMD for Alleged Data Exposure

The US FTC has filed a complaint against a medical testing laboratory for allegedly exposing the data of more than 9,000 individuals. The complaint alleges that LabMD put the data at risk of theft in two separate incidents. In 2009, patient data were reportedly available on peer-to-peer (P2P) file sharing networks. In 2012, California police found identity thieves had documents from LabMD that contained personal information of more at least 500 patients. [SCMagazine][ArsTechnica] [FTC Press Release] [FTC Complaint Links] See also: [LabMD CEO Fights FTC Complaint, Asks for Standards]

US – GSA Offers Electronic Privacy Refresher

The General Services Administration Center for Excellence in Digital Government has released a memorandum on agencies’ use of social media and the dangers of posting content that contains personally identifiable information (PII). A specialist with the center, Tim Lowden, reminds agencies that they are required by Section 208 of the E-Government Act to conduct privacy impact assessments “when developing or before acquiring or using third-party sites or applications that collect PII.” Meanwhile, a Forbes report examines a recent high-profile case involving social media to question what the right balance is when it comes to protecting privacy while “promoting accountability” online. [FierceGovtIT]

US – Lawsuit Targets JPMorgan Chase & Co. Over Privacy Issues

JPMorgan Chase & Co. is facing a proposed class-action lawsuit accusing it of printing Social Security numbers on the outside of forms mailed to customers telling them of the bank’s efforts to protect their private data. The suit was filed last week in federal court in Chicago, IL, and alleges the bank put customers at risk for identity theft. “Chase even says on its website that providing Social Security numbers to an identity thief is ‘as good as gold,’” said the lawyer who filed the suit. It’s unknown how many customers were affected. [Reuters]

US – Survey: Orgs Lacking Comprehensive Privacy Programs

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011.”. While 43% of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90% of organizations do have at least one person responsible for privacy, only 66% have a defined privacy officer role. [CIOOnline]

US – New Online Media Privacy Opinion Issued

According to a recent federal court opinion, “news organizations may be more liable in privacy lawsuits if their reporting is factually incorrect.” The opinion centers on how one gossip website used the plaintiff’s modeling pictures to allegedly publish a false story on the plaintiff, stating the model was a sister of a known celebrity. Senior District Judge Denis R. Hurley filed the opinion in Edme v Internet Brands, Inc. et al and denied a motion to dismiss in the case. Hurley noted that, although the published story “can be considered, for better or worse, a matter of public interest merely because its subject matter involved a celebrity,” the media website in the case reported an “undisputedly false” claim that the plaintiff was a sister of the celebrity, thus losing its newsworthiness. [Inside Privacy]

Privacy Enhancing Technologies (PETs)

WW – Patent-Approved Personalized TV Keeps Privacy in Mind

FourthWall Media has received the go-ahead from the U.S. Patent Office for its broadband device personalization technology. The technology analyzes consumer behaviors but addresses privacy concerns by storing viewers’ profile data only on the consumer’s own television or mobile device, the report states, where it can be used to indicate to targeted advertising technology which ad to run or what content would be preferred. [Rapid TV News]

WW – Box Aims for NSA-Resistant Cloud Security; Customers Hold the Keys

File-sharing service Box is working on a cloud storage solution that would put the encryption keys into the hands of its customers instead of the company. Box cofounder and CEO Aaron Levie said the current architecture of the company resembles that of Google or Microsoft “in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users.” Yet, with some forecasting a $180 billion loss in U.S.-based IT businesses in the wake of the NSA disclosures, the move to provide an “NSA-resistant” service is alluring. Levie said the company is “exploring ways that in the future our customer would be responsible for its keys, and that’s something we may make available to some of the largest organizations.” In other cloud computing news, Sweden’s data protection authority has ordered a Stockholm-based municipality to cease using Google Apps because it may contravene Sweden’s Data Protection Act. [Ars Technica]


US – US Senate Expands Data Privacy Investigation

Sen. Jay Rockefeller (D-WV) has announced he is expanding his investigation of the data broker industry after several companies refused to disclose specific details about their business practices around the collection and processing of consumers’ personal information. Expanding beyond the nine original data broker businesses, Rockefeller said he will investigate 12 additional health, personal finance and family-focused websites. To this point, the Senate investigation has found that data brokers categorize and market consumer dossiers into groups, and in some cases, the categories included names such as “Rural and Barely Making It” and “Ethnic Second City Strugglers.” Rockefeller said, “Regardless of whether such characteristics are positive, negative or erroneous, the process of determining these characterizations is not transparent to the consumer and is beyond the consumer’s control.” [Financial Times]


US – Report Says it’s Too Soon to Professionalize Cybersecurity

According to a recent report from the National Research Council of the National Academy of Sciences, it is too soon to introduce professionalization standards into the discipline of cybersecurity. According to a member of the committee that produced the report, professionalization may improve the quality of the people entering the profession, but it also prevents others from entering. The report, which was commissioned by the Department of Homeland Security (DHS), observes that because jobs in the discipline of cybersecurity are so diverse, professionalization requires careful analysis and must consider the particulars of each job. Professionalization should move forward when these two criteria are met: stable knowledge and skills requirements, and credible evidence of deficiencies in the workforce’s skills. [NextGov]


US – Judge Says Government Must Declassify More NSA Documents

The Electronic Frontier Foundation (EFF) has announced that a federal judge has ordered the US government to declassify additional NSA-related documents by December 20, 2013. The ruling was made in a lawsuit, Jewel v. NSA, which was initiated in 2008. [ArsTechnica] []

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US – FISA Court Orders Patriot Act Opinions Declassified

The US Foreign Intelligence Surveillance Court (FISC) says it will release some of the legal opinions justifying the government’s wholesale collection of phone data. The FISC has ordered the US government to start declassifying some of its opinions regarding the Patriot Act. The documents will be revealed as a result of a lawsuit brought by the ACLU. [ArsTechnica] [WIRED] [ComputerWorld] [FISC Order]

US – NSA Director Defends Data Gathering Practices to Legislators

NSA Director General Keith Alexander told US legislators that the Foreign Intelligence Surveillance Court (FISC) has not placed an upper limit on the number of phone records the NSA may collect. Alexander said, “I believe it in the nation’s best interest to put all the phone records into a lock box that we can search when the nation needs to do it.” Alexander and several other intelligence officials along with members of the Senate Select Committee on Intelligence were speaking at a committee hearing. At the same hearing, Alexander avoided directly answering a question posed by Senator Ron Wyden (D-Oregon) about whether the agency had used cell phone data to track callers. [ComputerWorld] [Charlotte Observer] Speaking at a cybersecurity summit earlier in the week, Alexander defended NSA data gathering. He also said he is willing to share cyberattack information with private sector organizations. [Washington Post] [ComputerWorld]

US – FISA Court Releases Rationale on Legality of Phone Metadata Collection

The Foreign Intelligence Surveillance Court (FISC) has declassified its rationale that the collection of phone call metadata under the Patriot Act is legitimate. The FISC also noted that no US telecommunication company has ever challenged court orders requiring them to provide bulk telephony metadata. [WIRED] ]FISC Opinion] [FISC Rationale on Legality of Metadata Demands]

US – NSA Deploying Security Controls to Prevent More Leaks

The NSA is taking steps to prevent more leaks like those conducted by former contractor Edward Snowden. The agency will digitally tag sensitive documents to limit access to specific analysts. The tags will also help NSA learn what people do with the data they access. NSA CTO Lonny Anderson said that what Snowden did could not be done today. Systems administrators and other people who have privileged access to the NSA system will not do anything alone. The NSA is also limiting how employees store data on removable devices. [ArsTechnica]

US – NSA Seeks Civil Liberties and Privacy Officer

The NSA is seeking a Civil Liberties and Privacy Officer to be selected from within the agency’s ranks. The new position will bring together “the separate responsibilities of NSA’s existing Civil Liberties and Privacy (CL/P) protection programs under a single official.” The officer will help NSA “ensure that CL/P protections continue to be baked into NSA’s future operations, technologies, tradecraft, and policies.” [The Register]

US – 20% of Cybersecurity Positions at DHS Directorate Remain Unfilled

According to the US’s Government Accountability Office (GAO), the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate’s Office of Cybersecurity and Communications, has more than a 20 percent vacancy rate for jobs. Part of the reason for this is the lag time created by obtaining necessary security clearances for personnel. DHS officials also cite low pay compared to private sector salaries, and the fact that there are not clearly defined skills sets for cybersecurity positions. [GovInfoSecurity]

US – Proposed Legislation Would Amend FISA to Limit Data Collection

US legislators have introduced the Intelligence Oversight and Surveillance Reform Act, which aims to protect people’s privacy without sacrificing security. The proposed bill would amend the Foreign Intelligence Surveillance Act (FISA) by prohibiting bulk gathering of phone records and emails and prohibiting national security letters (NSLs) from being used for bulk collection of data. It would also establish the position of an independent constitutional advocate to “argue against the government when the FISC is considering significant legal and constitutional questions.” [ArsTechnica] [CNET] [SCMagazine]

Telecom / TV

US – Court: Debt Collectors’ Cell Phone Calls Exempt from TCPA

A federal judge in Pennsylvania has ruled the Telephone Consumer Protection Act (TCPA) does not apply to debt-collection calls, even those made to cellular phones. In Roy v. Dell Financial Services, the court relied on an earlier court decision that “all debt-collection circumstances are excluded from the TCPA’s coverage.” The decision conflicts with that of nearly all courts that have examined the issue, the report states. Most have found that calls made using automatic dialing systems violate the TCPA unless “prior express consent” has been given. [insideARM]

US – Vodafone Calls For New Approach to Mobile App Privacy Comms

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry. Vodafone Global Privacy Counsel Kasey Chapelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. “We need to develop short-form , consistent privacy notifications along the same lines as nutrition labeling,” Chapelle said, adding, “Mobile operators can’t play the role that we used to (in terms of protecting mobile users’ privacy) any more as people such as handset manufacturers (Apple for example) get involved (with app stores, etc.).” Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states. [Marketing Week]

US – Reddit, Civil Liberties Groups Renew Push for Email Privacy

A coalition of digital civil liberties groups are making a renewed push for a bill to reform the Electronic Communications Privacy Act. The coalition relaunched a website this week that supports the E-mail Privacy Act, a bill that would require the government to obtain a warrant anytime it wanted access to e-mails or documents stored in the cloud. “Internet surveillance is not going to be completely solved until we have a warrant requirement for content, until the Fourth Amendment protections apply fully to the Internet,” said Mark Stanley of the Center for Democracy and Technology—one of the groups advocating for the bill. [Mashable]

US Legislation

US – California Governor Approves Online “Eraser Button”

California Governor Jerry Brown has signed a bill that requires apps, websites, and online services that target minors to offer an “eraser button.” The feature will allow young people to request removal of information that might have negative effects on their chances of getting into schools or gaining employment. The feature must be in place by January 2015. The button does not allow people to request the removal of content others have posted, nor does it require that the content be deleted from sites’ servers. [CNET] [How California Is Shaping Privacy Law]

US – California Gov Signs Tracking Disclosures into Law

California Gov. Jerry Brown has signed into law an amendment to the California Online Privacy Protection Act (CalOPPA) that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, becoming the first state in the U.S. to impose such regulations on operators. As well as requiring operators to inform users about their handling of browsers and other DNT mechanisms, the law requires them to disclose whether they allow third parties to access personal information about users’ online behavior over time and on other sites. Operators who fail to comply with CalOPPA will receive a warning and have 30 days to come into compliance “before being deemed in violation of the law and subject to an enforcement action,” the report states. [rHunton & Williams’ Privacy and Information Security Law blog]

US – California Bill Would Extend Employee Social Media Law to Public Sector

The California Senate has passed a bill that would prevent public agencies from accessing employees’ or potential employees’ personal social media accounts except under certain circumstances. While Labor Code 980 already protects the social media accounts of employees and applicants in private-sector organizations, if Gov. Jerry Brown signs this bill, 980 will be amended to include public entities. The state sheriff’s association and probation officers oppose the bill, saying they won’t be able to appropriately screen candidates. [Lexology]

US – Gov. Signs Bill Allowing Kids to Delete Online Pasts

California Gov. Jerry Brown has signed into law a bill that requires online companies and app developers to give minors the ability to remove their online content. The bill is similar to EU proposals for a right to be forgotten. “A minor with a juvenile record can petition the courts to have it expunged when he turns 18,” said an attorney specializing in Internet privacy. “This new law is akin to what’s already out there in traditional law.” While the law only applies to Californians, companies based outside of the state must comply when dealing with California residents. [610KVNU]

US – UPDATE: Minnesota Off the Hook for DPPA Violation

While an employee of the Departments of Public Safety and Natural Resources may still see charges for inappropriately accessing drivers’ data through the state database, a judge has ruled that the state is not responsible for his alleged violations of the Drivers’ Privacy Protection Act (DPPA). The judge based her ruling on the plaintiffs’ failure “to allege that any act by the state defendants violated the federal Drivers’ Privacy Protection Act—specifically, the complaint does not allege the defendants knowingly ‘obtained, disclosed or used’ any of the plaintiffs’ personal information ‘for a purpose not permitted’ by the DPPA.” [Law360]

US – Senators Address NSA Phone Program; Rival Bills Issued

At least two new bills have been introduced in the Senate addressing the National Security Agency (NSA) phone surveillance program. The Senate Intelligence Committee is looking to swiftly pass legislation that would “change but preserve” the recently revealed dragnet program. The bill, backed by Sens. Diane Feinstein (D-CA) and Saxby Chambliss (R-GA), would require public reports revealing frequency of access by the NSA to the call log database, reduce the retention time from five to two years and require the NSA to send the data it searches to the Foreign Intelligence Surveillance Court for review. A rival bill, backed by Sens. Ron Wyden (D-OR) and Mark Udall (D-CO), would ban the collection program. [New York Times]

US – Sen. Leahy Aims to Revamp NSA Capabilities

Speaking at Georgetown University on September 24, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said he plans to aggressively pursue legislation to curb the National Security Agency’s surveillance powers. Leahy announced he is working together with USA PATRIOT Act author Sen. Jim Sensenbrenner, Jr., (R-WI) and Sen. Mike Lee (R-UT) to craft the new legislation. “I am convinced that the system set up in the 1970s to regulate the surveillance capabilities of our intelligence community is no longer working,” Leahy said, adding, “In my view—and I’ve discussed this with the White House—the Section 215 bulk collection of Americans’ phone records must end.” [The HIll]

Workplace Privacy

UK – Former Barclays Employee Fired, Fined for Accessing Customer Data

A former Barclays Bank employee has been fined GBP 3,360 (US $5,400) for accessing a customer’s data without permission. Jennifer Addo was found to have accessed the customer’s data 22 times between May and August 2011. The incident came to light when the customer noticed that a friend of Addo’s knew things about him that could only be found out by looking at information in the bank’s possession. Barclays terminated Addo’s employment shortly after the customer registered a complaint. [] [Information Age] [Credit Today] See also: [I Spy With My Corporate Eye: The Employee Services Conundrum]




01-15 September 2013


US – U.S. to Expand Data Sharing Overseas

The Department of Homeland Security plans to expand foreign biometric data sharing. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals. [FCW] SEE ALSO: [US: Ohio scrambles to secure facial recognition system]

WW – Apple Releases Include Fingerprint Sensor

Apple has released two new iPhones, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. [New York Times] [WSJ: Apple’s Fingerprint Feature and Pleading the Fifth] [Apple provides details on Touch ID’s privacy features] [What NSA snoops like about the iPhone] and [Thieves may mutilate owners in bid to gain access to fingerprint-reading handsets, expert warns] and [Canadian company puts password protection a heartbeat away]

WW – NIST: Iris Recognition Authentication Method Needs Some More Work

Federal researchers have reconfirmed the reliability of the iris as an authentication factor. But we’re at least 3 years away from using iris scanning as an advanced method of user authentication for IT systems. What’s holding back iris recognition as an authentication tool to access information on IT systems? According to experts, there are three main reasons: size, cost and culture. Specialized iris-reading cameras are too big to fit into the form factor of a laptop, smart phone or tablet. To be practical, an iris camera needs to be shrunk to the size of a webcam. For now, most iris cameras are much larger. Iris-reading cameras are too costly to be economically feasible to build into user devices – even if they could fit. Iris scanners and cameras cost hundreds if not thousands of dollars each. Imagine what that would do to the cost of a laptop of tablet. Another barrier: The IT security culture. When addressing authentication, many organizations’ IT security groups focus on something the user knows (password) or something the user has (token) and not on who the user is (biometric). That type of thinking needs to change. [Source    ]


CA – OIPC: GPS Tracking of Employees Is OK

BC’s Office of the Information and Privacy Commissioner (OIPC) has ruled that two elevator companies in the province can continue to use GPS technology to keep tabs on their employees. The employees had filed complaints that the practice violated their privacy. The OIPC did rule, however, that one of the companies must temporarily suspend the practice until it provides better notice to workers about data collection and use. One privacy advocate says the case indicates the need for new discussions about tracking given advances in technology since legislation on the matter was crafted. Meanwhile, Postmedia News suggests appropriate privacy policies can help keep employers out of trouble. [The Canadian Press]

CA – How to Keep Your Home’s Purchase Price Secret

Clients often ask whether I can keep the price they are paying for their home off the title record. The main reason is for privacy. They don’t think it is anybody’s business but theirs. You can do it if you pay the land transfer tax in advance. The tax is usually paid by your lawyer, but you can do it yourself. If that’s the case, you must include these documents with your request: A cover letter from the lawyer; A copy of the original agreement of purchase and sale; The draft deed to be registered on closing; A copy of the statement of adjustments; Three signed land transfer tax affidavits; and A certified cheque payable to the Ministry of Finance for the amount of land transfer tax owing. The Ministry will then provide your lawyer with a special code to be entered on closing, to confirm that the land transfer tax has already been paid. If the house is in Toronto, you will also have to pay the municipal Land Transfer Tax. In order to pre-pay this tax, there is a similar process that must be followed but you have to send the material to a different location. In all cases, what will show on your title after closing is either zero or $2 for the price paid. [Source]

CA – Saskachewan Privacy Commissioner Says SGI ‘Over Gathering’ Information

Saskatchewan’s Privacy Commissioner says SGI needs to stop “over gathering” medical information about crash victims, but the government-owned insurer says it’s not up to the commissioner to pass judgment. The latest report from Gary Dickson details the case of a woman who made an injury claim after a collision. SGI told her they would need medical files related to injuries to her neck and back.

But the report shows SGI gathered all of her medical files, including a reference to a sexually-transmitted disease the woman had years earlier. SGI did not explain why it gathered that information. It also says accident claims do not fall under the Privacy Commissioner’s jurisdiction. The information watchdog disagrees. [Source] [Saskatchewan Commissioner concerned] See also: [Ontario Liberals look for place to store 1.4 million boxes of government records]


WW – Survey: 86% of ‘Net Users Mask Footprint; Scared of Peers More than Gov’t

According to a recent survey, 86% of Internet users have taken at least one step to remove or mask their digital footprints online, and 55% have taken steps to avoid observation by certain people—including organizations or the government. The survey, conducted in July by the Pew Research Center’s Internet & American Life Project, examined 792 adult Internet users’ responses. Given recent revelations about U.S. government access to data, Director Lee Rainie said he was surprised to find that respondents were more concerned with hiding data from people they knew than the government or law enforcement. [Full Story]

WW – Consumers: Forget Screen Size, Cameras; Sell Us Privacy

Consumers are now more concerned about privacy in the use of their mobile phones and apps than they are about screen size, brand, weight or camera resolution. That’s according to TRUSTe’s 2013 Consumer Data Privacy Study, which polled more than 700 U.S. smartphone users. Only a phone’s battery life topped privacy when users’ prioritized their concerns. [Full Story] SEE ALSO: [Canada’s Moral Compass Points to Apathy on Online Privacy]

US – Insurer Wants Out of Breach Coverage in ZIP Code Case

Consumers in California, Massachusetts and Washington, DC, are suing Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc., for collecting ZIP codes during credit card transactions. OneBeacon American Insurance Company says the retailer’s insurance doesn’t cover such privacy issues, the report states, and is asking a federal judge to absolve it of any obligation in the case. [Main Justice]  For a primer on this issue, see Angelique Carson’s report, with a guide to zip code law.

US – Project Aims to Educate About Digital Footprints

A National Science Foundation-funded project called Teaching Privacy and a related online tool lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not “ tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity. [GigaOm]

JP – Tokyo Taxis Alert Passengers When They Leave Something Behind

Each taxi will be equipped with four cameras; one under the driver’s seat, one under the front passenger seat, one on the ceiling and one in the taxi’s trunk. The system works by comparing before and after images of the areas photographed. If the system detects an item left behind, such as a purse or a mobile phone, it instantly sounds an alarm, allowing the passenger to retrieve his or her belongings before the taxi drives off. To address privacy concerns related to the new system, the company claims the system won’t capture clear images of the faces and signs will be posted inside the vehicles to alert passengers of the cameras. It was reported that Tokyo drivers reported to police 210,000 objects left behind in their cars last year. The company also claims that it has recovered a vast range of items from its cars over the years. It says that mobile phones account for about 60 per cent of objects left behind. [Source]


US – Employees Improperly Used Driver’s License Database: Suit

18 people plan to file a lawsuit in Minneapolis federal court, claiming that government employees in Winona and more than 50 other Minnesota counties and cities violated their privacy by inappropriately using the state’s driver’s license database. The complaint alleges that “government officials targeted citizens based on their political involvement” and searched private information using the database, commonly used by law enforcement. Attorney Erick Kaardal, who represents the accusers, said he plans to reveal evidence of more than 600 illegal searches by employees of municipalities. The state’s driver’s license database made news last year, when a Department of Natural Resources employee was accused of using it to access the records of thousands of people, the vast majority of whom were women. A February 2013 report from the state legislative auditor’s office found numerous cases of abuse, including a case where 88 law enforcement employees misused the database, and some continued to after leaving their job. The report found that more than half of law enforcement personnel who used what’s called the Driver and Vehicle Services database had searched information on people with their same last name, or searched primarily for either women or men during 2012. “Law enforcement personnel have used their access to driver’s license data for non-work purposes or work purposes that are not allowed by state law,” the report found. The office’s report said monitoring, accountability, and training all need to be strengthened. [Source]


US – Lavabit Owner Appealing Surveillance Order

Lavabit owner Ladar Levison has appealed the secret surveillance order received from the US government that prompted him to shutter his business in August. The details have been placed under seal. The surveillance order forbids Levison from disclosing what the government has asked of him or who its target was. [WIRED]

US – Archives: Federal Workers May Use Secret Emails

Administration officials and other federal workers may continue to use secret government email accounts to conduct official business as long as the messages are safely preserved and turned over when they are sought under the Freedom of Information Act, the nation’s record-keeping agency said. New rules from the National Archives and Records Administration follow an Associated Press investigation earlier this year that found that some Obama administration political appointees used government email accounts that were not disclosed to the public or to congressional officials. On Tuesday, U.S. Archivist David Ferriero told a House oversight hearing that he doesn’t care how many email addresses government officials use. But Republican lawmakers said multiple email accounts, while could be useful for organizing large numbers of emails, may complicate efforts to pinpoint which accounts belong to whom. [Source] SEE ALSO: [Deleted emails in power plant scandal prompts push for training] and [Google lawsuit stirs debate over email privacy rights]

Electronic Records

US – ONC Releases Guidance on Interoperable E-Health Exchanges

The Office of the National Coordinator for Health Information Technology has released guidance in order to facilitate interoperable electronic health information exchanges. While many healthcare providers qualify for Medicare and Medicaid electronic health record incentive payments under the HITECH Act, there are many providers that are ineligible for such payments. The guidance aims to “serve as a building block for federal agencies and stakeholders to use as they work with different communities to achieve interoperable electronic health information exchange.” [Source]

CA – MGS Statement on Commissioner Cavoukian’s Special Report

Minister of Government Services John Milloy made the following statement on the actions taken to comply with the recommendations in the Special Report on the records management practices of political staff: “I want to thank the Information and Privacy Commissioner again for her report and for meeting with me in June. Our government takes its recordkeeping obligations seriously and we are committed to being open, accountable and transparent. Addressing Dr. Cavoukian’s recommendations has been a top priority to ensure that situations referred to in her report do not happen again. I want to thank both the offices of the Information and Privacy Commissioner and the Integrity Commissioner for working with our government on these important issues. The actions we are announcing today address all of Dr. Cavoukian’s non-legislative recommendations, including:

  • Developing a mandatory training program for all political staff to ensure that staff are fully aware of and trained in their records management obligations;
  • Creating a working group of Premier’s Office staff, Cabinet Office staff and Ministry of Government Services staff to clarify and strengthen the government’s records retention policies and practices so that they can successfully be put into practice;
  • Appointing ministers’ chiefs of staff and the Premier’s chief of staff as the persons accountable for the implementation and compliance with records management policies in each of their respective offices and appointing a senior advisor in the Premier’s Office to provide advice and guidance to all offices on these issues; and,
  • Improving archiving requirements by conducting a review of the archiving schedules.

The Premier has also issued a directive to all political staff underlining the serious obligations of staff to manage records in accordance with approved records retention schedules, and to complete mandatory training. [Source] and [Statement from Commissioner Cavoukian in response to September 4 statement by the Minister of Government Services]


WW – NSA Undermines High Level of Internet Encryption

The latest leak from former government contractor Edward Snowden reveals the U.S. National Security Agency has “circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, Internet chats and phone calls of Americans and others around the world,” according to a multi-pronged report by The New York Times, ProPublica and The Guardian . Since 2000, the agency has invested billions of dollars to influence international encryption standards and force technology companies to provide backdoor access to encrypted communications. The ACLU’s Christopher Soghoian said the programs are “making the Internet less secure and exposing us to criminal hacking, foreign espionage and unlawful surveillance,” adding that it “will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.” [Full Story] See also: [Real privacy means oversight – Op-Ed: Ann Cavoukian, Ron Deibert, Andrew Clement and Nathalie Des Rosiers The Globe and Mail] and [Canada complicit in undermining Internet privacy: Geist] and [US: Johns Hopkins reverses decision forcing prof to pull NSA post] and [US – Poll: Public Doubts Rise on Surveillance, Privacy] and [Ontario Privacy Watchdog Is Not Amused With The NSA] and [Schneier on NSA’s encryption defeating efforts: Trust no one]

WW – Google Encrypts Data Amid Backlash Against NSA Spying

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said. The move by Google is among the most concrete signs yet that recent revelations about the NSA’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs. Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, which obtains data from American technology companies, including Google, under various legal authorities. Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers. [Source]

EU Developments

EU – MEPs Call for Halt to Anti-Terror Program

Amidst ongoing U.S. National Security Agency surveillance program revelations, Members of the European Parliament (MEPs) are calling for “the immediate suspension” of the Terrorist Finance Tracking Program (TFTP). “I think there is more than enough evidence to call for a suspension,” said Dutch MEP Sophie in’t Veld. The TFTP allows the U.S. Treasury access to data that international bank transfer company Swift stores in Europe, but NSA revelations indicate the U.S. spied on Swift, the report states. German MEP Jan Philipp Albrecht said, “The NSA surveillance is an open breach of the agreement and further undermines the already insufficient data protection given to European citizens under the deal.” [CIO]

EU – New Data Breach Notification Requirement in Effect

SC Magazine reports on the new data breach reporting requirement in the EU. The requirement took hold last week and requires telecommunications and Internet service providers in the EU to report a data breach to authorities within 24 hours of the moment the breach is discovered. Meanwhile, Laura Vivet Tañà examines the proposed EU data protection regulation’s breach notification rule, including such key elements as what should be considered as a personal data breach, the notification requirement and consequences of a security breach. [Full Story]

EU – Safe Harbor May Be Controversial in the EU, But It Is Still the Law

Safe Harbor has become a target for retribution in light of revelations about the National Security Agency’s PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor’s fate. Full Story


EU – Mosley Wants Censorship Google Isn’t Willing to Give Up

Former Formula One boss Max Mosley wants Google to set up a personal filter to stop personal images of him from appearing on the search engine. The images of Mosley were ruled to be a breach of his privacy rights by a UK court in 2008. Google is willing to remove links to sites where the images are used, the report states, but says setting up a permanent filter for the pictures would mean an “alarming new model of automated censorship,” the report states. [Financial Times]


US – CFPB Seeks to Monitor Credit Card Transactions

Officials at the Consumer Financial Protection Bureau (CFPB) are seeking to monitor 80% of all U.S. consumer credit card transactions this year through a controversial data-mining program. A CFPB planning document for fiscal years 2013-17 indicates plans for a “markets monitoring” program as well as plans to monitor up to 95% of mortgage transactions. “This is one step closer to a Big Brother form of government where they know everything about us,” said Rep. Sean Duffy (R-WI) at a hearing on the matter last week where critics asserted the agency’s plans are beyond its authority. [Washington Examiner]

WW – G20 Countries to Share Tax Records to Crack Down on Cheats

Tax records will be shared around the world by 2015 as part of a G20 pledge to crack down on individual tax cheats and global corporations with complicated arrangements aimed at paying as little tax as possible. The topic of taxation in a global economy has become a major political issue of late, as multinational firms like Apple and Starbucks have faced scrutiny over their corporate structures. Further, investigative reports into the use of offshore tax havens by the world’s wealthiest individuals added momentum to the view that governments are getting short-changed of much needed revenue. As business increasingly moves online and international, cash-strapped governments approved an aggressive timeline to adopt the automatic exchange of tax information among the G20. The deal was solidified after China, the last holdout, agreed to the plan just days before the summit in St. Petersburg. A proposed U.S. law requiring foreign governments – including Canada – to report banking information involving U.S. citizens has already ran into concerns from the Canadian government and attracted the attention of Canada’s privacy commissioner. Questions of privacy will likely increase given that the G20 includes non-democratic countries where human rights are a concern, including China and Saudi Arabia. [Source]


WW – Internet Giants Make New Push for FISA Transparency

As gloomy predictions about the impact of privacy fears on the Internet economy grow ever more frequent, and major concerns about the future of the Internet are expressed, big firms like Facebook, Google, Yahoo and Microsoft have stepped up their efforts in petitioning the U.S. government to allow them to share more about government requests for data with their customers. Computerworld sums up a number of the blog posts from these companies, which outline their legal efforts toward transparency. “The actions and statements of the U.S. government have not adequately addressed the concerns of people around the world,” wrote Facebook general counsel Colin Stretch, in his post. Full Story

US – Yahoo Issues First Gov’t Transparency Report

Yahoo’s first government transparency report indicates the company “received 12,444 requests for data from the U.S. government so far this year” related to the accounts of 40,322 users. Of those requests, “37% disclosed the content of Yahoo accounts, such as words in e-mails, photos or uploaded files. In about 55% of the requests made, the company disclosed information about its users that did not involve content but gave information such as names, location data and e-mail addresses.” To date, the report states, Yahoo has rejected “two percent of those federal government requests.” [The Washington Post] SEE ALSO: [Toronto Mayor Rob Ford’s office on ‘honour system’ to release all requested records]

US – Internet Companies Seek Permission to Disclose Gov’t Data Requests

Facebook, Google, and Yahoo have filed a petition with the US Foreign Intelligence Surveillance Court, seeking permission to disclose more information about secret data requests made by the government. The companies are stepping up their push because earlier efforts, made in the wake of revelations about the existence of PRISM and other government surveillance programs surfaced earlier this summer, were not successful. The companies want to disclose detailed information about national security requests made under FISA. Google has asked that the hearing be made public. [NBC News] [CNET] [ComputerWorld]


EU – Proposed DNA Bill in Ireland Leans Toward Destruction

Minister for Justice Alan Shatter has published a bill on the establishment of a national DNA database. The bill takes into account privacy concerns about earlier versions of the bill on destruction of samples and deletion of DNA profiles, among others. Shatter’s bill would allow authorities to take DNA samples from most criminal suspects but the default would be in favor of the destruction of such samples when an individual is not convicted. [Irish Times]

WW – What Happens if Newborns’ Entire Genomes are Screened?

U.S. government is funding studies on what happens if you screen newborns’ entire genomes. The aim of the study is to find out if the data results in better healthcare or simply data overload. “We would like to see if genome sequencing can shed light on disorders that we don’t screen for currently,” said National Institute of Child Health and Human Development Director Dr. Alan Guttmacher, adding there are questions involved. “How do we protect the baby’s privacy? Where will the baby’s genome data be stored, and who will have access to it?” [NBC News] SEE ALSO: [The Privacy Conundrum And Genomic Research: Re-Identification And Other Concerns]


US – Google Case Can Proceed, Appeals Court Rules

A federal appeals court in San Francisco has said a lawsuit accusing Google of illegal wiretapping can proceed. The case involves Google’s Street View initiative, in which Google vehicles collected e-mail, passwords and other personal information from unencrypted home networks. Google wanted the case dismissed, arguing the data it accessed was exempt from the Wiretap Act because it was readily accessible to the general public. The appeals court agreed with an earlier federal court’s ruling, reasoning that, “Even if it is commonplace for members of the general public to connect to a neighbor’s unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store and decode data transmitted by other devices on the network.” [The New York Times]

US – Federal Appeals Court Denies Google’s Bid to Dismiss Street View Lawsuit

The US 9th Circuit Court of Appeals has ruled that Google’s inadvertent harvesting of users’ personal information from unprotected Wi-Fi routers while collecting data for Street View is not exempt from the Wiretap Act and that the company may be held liable for civil damages. Google had sought to have the lawsuit dismissed, arguing that transmissions over Wi-Fi networks are “readily accessible to the general public.” [WIRED] [Ars Technica] [ComputerWorld] [ZDNet] []

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court on Thursday, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Associated Press] SEE ALSO: [Google security exec: ‘Passwords are dead’]

Health / Medical

US – New HIPAA Rules Require Revised Notices; Deadline Looms

Earlier this year, the Department of Health and Human Services Office for Civil Rights released omnibus regulations changing significantly HIPAA’s privacy, security, enforcement and breach notification rules. An article for Boston’s WBUR looks at what the changes mean for patients. Under the changes, covered entities must update and post a revised notice of privacy practices before September 23. In this report for Lexology, attorneys from Wilson Elser describe what such notices must include. Meanwhile, California lawmakers are considering proposing stricter HIPAA regulations. [Full Story] SEE ALSO: [US: Your Cat’s Name Could Soon Be Your “Personal Information”]

US – FTC Files Complaint Against LabMD; Companies Suffer Breach Fallouts

The FTC has filed a complaint against medical testing laboratory LabMD, Inc., alleging the company failed to reasonably protect consumers’ personal data, including medical information. The FTC alleges that in two incidents LabMD collectively exposed 10,000 consumers’ personal information. Meanwhile, the insurance company for Schnuck Markets has filed a lawsuit against the company seeking release from liability after a data breach earlier this year, and The University of Texas has informed patients of a data breach after a laptop containing their personal data was stolen. In Florida, the State Department of Health is the subject of criticism over new proposals regarding an online prescription database. And the U.S. Department of Energy has disclosed new information on a data breach affecting more than 14,000 employees. [Full Story]

US – Surgery Photo Prompts Privacy Concerns

A former patient has filed a civil lawsuit against a Los Angeles-based medical center after her doctor and his assistant decorated her face and took a photo while she was unconscious during a surgery. The state also investigated the case. The incident, as well as another involving a salesman taking a photo of a naked patient without the patient’s knowledge, has sparked concerns about mobile devices in healthcare facilities. “The idea that people are using their cellphone or even have one in the operating room is crazy,” said Deborah Peel, founder of Patient Privacy Rights. “It’s a massive security risk and incredibly insensitive to patients.” [Los Angeles Times] [Surgery photo leads to privacy lawsuit against Torrance Memorial]

Horror Stories

US – Hacker Accesses Two Million Vodafone Accounts

An intruder “with insider knowledge” hacked into a Vodafone server located in Germany and gained unauthorized access to approximately two million customer accounts. Compromised personal information include names, addresses, dates of birth and bank account information but did not include credit card information, passwords, PIN numbers or phone numbers, according to a company statement (in German). According to the report, Vodafone shares fell 0.8% yesterday. The attack was detected earlier this month and was halted. [Bloomberg] SEE ALSO: [Wal-Mart investigates privacy breach at Regina store]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. [Source]

US – Schools, Council Investigate Breaches

The Medical University of South Carolina sustained the largest breach of its history between June 30 and August 21 after a third-party credit card processing company compromised 7,000 patients’ data. Meanwhile, parents of 130 children at two elementary schools in Virginia say their children came home with other students’ sensitive data, prompting fears of identity theft. The Washington Post reports Washington, DC’s privacy officer has “serious concerns” after a paramedic wrote a letter to the DC Council that included a patient’s data, and the University of South Florida is investigating a data breach caused by an employee. [HealthITSecurity]

US – Breach Settlements and Class-Actions Filed

A recent dismissal of a case arising from a credit card skimming attack suffered by Barnes & Noble by the U.S. District Court for the Northern District of Illinois demonstrates the struggle plaintiffs face in trying to articulate injury, write attorneys for Ropes & Gray, LLP. Meanwhile, ModernHealthcare discusses the legal consequences of a recent and massive data breach at Advocate Health Care. MediaPost News reports on both a potential class-action filed in Illinois accusing Google of violating its privacy policy and on Netflix users’ request that a $9 million settlement of a class-action lawsuit be nixed. [Full Story]

Identity Issues

US – Aggregator to Show Users Their Data

Data aggregator Acxiom is planning to unveil a free website where U.S. consumers can view the data the company has collected on them. Users who visit will view data on themselves including homeownership status, vehicle details, recent purchase categories and household interests. The site will allow users to click on icons to view the source the aggregated data came from originally. Axciom’s CEO says the company aims to alleviate consumer fears on data aggregation by being more transparent. Meanwhile, a new UK platform allows users to sell direct access to their data to bidding companies. [The New York Times] [US: Acxiom Lets Consumers See Data It Collects] SEE ALSO: [Dear Janice Lokelani Keihanaikukauakahihuliheekahaunaele: Your name is way too long for your ID]

SK – South Korea Steps Up Authentication Measures to Fight Financial Fraud

In an effort to combat cyber fraud, South Korea’s Financial Supervisory Service (FSS) says that as of September 26, 2013, people who conduct online transactions with banks, insurance companies, brokerage firms, and other financial institutions will be required to identify themselves through text messages or automated response systems. [ZDNet] [

CA – Protect New Passport from Hackers: Expert

AS of July 1, Canada joined several other countries and added computer chips to all new passports — they carry the passport information and a digital photo. An airport reader scans the passport and accesses the information on the chip in order to verify the identity of the pass-holder. The chips in the new passports work on radio-frequency identification, the same technology used in security ID cards and door readers. It is also the same technology that some smartphones have, using near field communication (NFC), which lets smartphones communicate by bumping, or lets people pay for parking using their smartphones. An NFC-enabled smartphone can access the data on chip-enabled passports using an app, giving the user access to the data in 30 seconds. The app is one of several similar apps available in the Android app store. If a user can enter the passport number, date of birth of the holder and date of expiry, they can access the information on the chip, including a digital version of the passport picture, with one tap of their phone. Rick Dykstra, parliamentary secretary to Citizenship Minister Chris Alexander, said the passports are still safer than the previous non-chipped versions. “Are they perfect? No. There are always fraudsters and hackers out there who will continue to try to take advantage, but we believe that we’re building a passport that is many times stronger and safer than the previous passport,” Dykstra said. There are ways to protect passports from being read, Neville said, recommending people protect their passports by placing them in RFID-proof cases, which surround the passport and prevent signals from coming in or going out, unless the passport is taken out of the case. American passports, for example, have that RFID-proofing built into their covers so they can only be scanned when opened. [Source]

UK – Government Signs First ID Assurance Contracts for Online Transactions

The UK government has signed contracts with the Post Office, Verizon, Experian, Digidentity and Mydex for the supply of the first live identity assurance services to drive secure online government transactions. The new cross-government identity assurance framework will see the contractors providing a service to enable people to assert their identity online without security concerns. The development of the identity assurance service will be managed by the Cabinet Office. PayPal, Cassidian and Ingeus have also been awarded a place on the identity assurance framework. The GDS (Government Digital Services) has undertaken a redesign of 25 of the most-used transactional public services in a bid to make them simpler and easier to use. The services include electoral registration, patent renewals and Universal Credit. [Source] See also: [Account Takeover: The Fraudsters’ Edge]

Intellectual Property

UK – ISPs to Collect Data on Illegal Downloaders – Reports

Media companies have asked UK broadband providers to collate info on illegal downloaders, which could violate data protection laws. Those caught committing piracy could be subject to internet throttling and even prosecution. In an attempt to clamp down on the illegal downloading of music and films, the British Phonographic Industry (BPI) and the British Video Association have requested BT, Virgin Media, BSkyB and TalkTalk to record information on piracy. The new code of conduct would oblige the companies to gather data on illegal downloaders and store it in a database. The information could then lead to repeat offenders having their internet cut-off or being prosecuted. Internet users will reportedly been given warnings by letter before these measures are taken, reports the Guardian. The move has attracted controversy amid speculation that it may violate the Data Protection Act, as the law says that companies may only retain personal data relating to a client if it is for commercial purposes. The proposal comes as part of a nationwide clampdown on growing internet piracy. Between November 2012 and January 2013, UK watchdog Offcom reported that 280 million music tracks had been pirated, as well as 52 million television programs. Furthermore, Offcom found that 18% of internet users aged over 12 had recently committed internet piracy, while one 9% actually fear getting caught. [Source]

Internet / WWW

WW – Experts Want Web Security Rewritten

Internet security experts are calling for a campaign to rewrite web security following news that the U.S. National Security Agency is capable of breaking millions of sites’ encryption codes. But that’s a task that would be extremely difficult, the experts admit. “A lot of our foundational technologies for securing the Net have come through the government,” said researcher Dan Kaminsky, adding, “As much as I want to say this is a technology problem we can address, if the nation states decide security isn’t something we’re allowed to have, then we’re in trouble.” Meanwhile, Chris Matyszczyk writes for CNET that trusting corporations over the government when it comes to data privacy is flawed logic. [Reuters]

WW – Academics Explore the Intersection of Privacy and Big Data

In anticipation of the Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” [Full Story]

Law Enforcement

US – Law Enforcement Surveillance Tools Abound

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.” [Source] SEE ALSO: [UK: Dozens of police workers being investigated every year for missing force computers to obtains confidential information]

US – ACLU Report Voices Qualms With License-Plate Scanning

Approximately 75% of U.S. police departments are using or plan to use license-plate scanning technology to help solve crimes. The American Civil Liberties Union (ACLU) says the technology has the potential to collect data on innocent Americans and can be used in ways that violate privacy. “In our society, it’s a core principle that the government doesn’t watch people’s innocent activities just in case they may be connected with a crime,” said Allie Bohm of the ACLU, adding that often “police are retaining this data indefinitely with few privacy protections … It can reveal people’s political views, religious activities and a lot of other personal information.” [Business Insider] SEE ALSO: [AUS: Queensland Premier Campbell Newman says civilians will take place of police in speed camera vans on back of Keelty review] [AUS: NSW Police to be quizzed over numberplate photography data as part of report into privacy]

US – Attorney General Launches Database Probe

Following law enforcement’s increasing use of facial-recognition software, Ohio Attorney General Mike DeWine has requested a review of a law enforcement database. The Ohio Law Enforcement Gateway allows about 300 Ohio law enforcement agencies to access records in a sex-offender registry, driver’s license and motor vehicle registration files and criminal history. There are more than 30,000 approved users. DeWine has formed a working group to discuss safeguards against hacking and privacy violations. [The Columbus Dispatch] See also: [Victoria Police want you to send them photos of distracted drivers]

Location / Mobile

WW – Group Releases Privacy Notice Generator

MEF, a mobile content and commerce industry trade organization, has launched a privacy notice generator for app developers, and the goal, according to the group’s press release, is “to build consumer trust in mobile apps by helping developers apply best practice in the collection and sharing of personal data.” By checking off boxes detailing what data is collected, the free online tool “produces a bespoke privacy policy as HTML code that can be customized and embedded directly into the developer’s application.” Future of Privacy Forum Executive Director Jules Polonetsky said, “AppPrivacy is a useful resource that will help developers effectively and easily create a mobile-friendly privacy policy.” [Bloomberg]

Online Privacy

US – Company Admits Facebook Privacy Violation

HasOffers, a company that provides tools for tracking the performance of online ads, has acknowledged it “recently ran afoul of Facebook’s user privacy policies, and it has had to change its marketing practices.” The company’s CEO noted the company’s “MobileAppTracking platform inappropriately allowed advertisers to obtain device-level attribution and performance data. This was a mistake on our part.” Meanwhile, U.S. Sen. Al Franken (D-MN) has written to Facebook’s Mark Zuckerberg urging the company to rethink plans to use profile photos for tagging suggestions, citing concerns about facial recognition and its ability to track people in the “real world.” [VentureBeat]

WW – Facebook Flaw Allowed Hackers to Delete Posted Photos

A security flaw that allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar — and he has been rewarded for his efforts. The Facebook flaw, explained in length on Kumar’s blog, exploits the Facebook Support Dashboard. Considered “critical,” the bug works with any browser and any version, but was most successfully exploited through mobile devices. The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image’s owner. A link is then generated to remove the photo — which if clicked by the owner, removes the offending image. However, while sending the message, two parameters — Photo_id & Owners Profile_id — are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner’s interaction or knowledge. Every photo has an “fbid” value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts — where one would act as a “sender” and one as a “receiver” — can be used to receive a ‘remove photo link’. Owner profile IDs can be found by using Facebook Graph. [Source]

WW – Will Going Public Diminish Privacy on Twitter?

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. The company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.” [Blouin News]

US – Facebook Delays Planned Policy Changes

Following heat from six major consumer privacy groups, Facebook says it will delay planned changes to its privacy policies. The coalition asked the U.S. FTC to block the changes, arguing they would make it easier for Facebook to use user data to endorse advertisements without their consent. “We are taking the time to ensure that user comments are reviewed and taken into consideration to determine whether further updates are necessary, and we expect to finalize the process in the coming week,” Facebook said in a statement. [Los Angeles Times]

US – Coalition Asks FTC to Block Facebook Policy Changes

A coalition of six major consumer privacy groups has asked the FTC to block coming changes to Facebook’s privacy policies. The coalition—which includes EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—says the changes would make it easier for the site to use users’ data. The coalition wrote a letter to the FTC stating the changes violate a 2011 settlement and order with the FTC. [The New York Times]

WW – HP Launches Regulatory-Compliance Service

Hewlett-Packard (HP) has launched a service that aims to help organizations comply with government privacy regulations. HP’s Data Privacy Services contains a suite of services addressing data sanitization, defective media retention and comprehensive defective material retention. “What we’re seeing is demand for this type of service from customers, driven by compliance and liability concerns about leakage of data,” said an HP spokesman. [eWEEK]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [AdWeek]

Other Jurisdictions

AU – OAIC Releases Draft Guidelines

The Office of the Australian Information Commissioner (OAIC) has released the draft Australian Privacy Principle (APP) guidelines for public feedback. The guidelines outline how the OAIC will interpret and apply the APPs, which go into effect in March of next year, the report states. Australian Privacy Commissioner Timothy Pilgrim said the new laws require government agencies and private-sector organisations to be more open and transparent on data handling. “This will give people a better understanding of how their information will be handled so that they can make an informed decision about interacting with the entities covered by the Privacy Act,” he said. [Computerworld]

AU – Long Delays Before Privacy Complaints Assessed

Australia’s federal Privacy Commissioner has blamed the federal government for long delays in assessing breach-of-privacy and freedom-of-information complaints. Complaints about privacy are not being allocated to case officers until just over five months after submission, taking about 19 weeks longer than the usual four-week period. Separately, freedom-of-information matters (complaints and requests for reviews) are not being allocated to officers for up to seven months. Privacy Commissioner Timothy Pilgrim said that while overall privacy complaints increased by 10% during the previous financial year, “staffing levels have decreased in line with the need to meet efficiency dividends imposed by government”. The combination of an increase in complaints and fewer staff was the reason for the backlog, he said. [Source]

SA – National Assembly Passes POPI

Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. [Full Story] and [South Africa: New privacy law will have ‘significant impact’ on businesses]

Privacy (US)

US – FTC Reaches First “Internet of Things” Settlement

TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the FTC over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT. [Full Story] See also: [US: Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers’ Privacy]

US – FTC Investigating Facebook Policy Changes

The FTC has initiated an investigation of Facebook’s recently altered privacy policy to assess whether it violated a 2011 consent order with the agency. Under the 2011 agreement, Facebook must gain explicit consent from users prior to exposing their information to new audiences. An FTC spokesman said, “Facebook never sought out a discussion with us beforehand about these proposed changes.” A Facebook spokeswoman said, “We routinely discuss policy updates with the FTC, and this time is no different,” adding, “Our updated policies do not grant Facebook any additional rights to use consumer information in advertising … the new polices further clarify and explain our existing practices.” Sen. Ed Markey (D-MA) has sent a letter to the FTC raising concerns about the changes. [The New York Times]

US – Court Rules Nonpublic Facebook Posts Protected by SCA

The U.S. District Court in New Jersey has ruled that nonpublic Facebook posts are protected under the Stored Communications Act (SCA). The case involved a hospital worker who posted to her page a negative comment, which could only be seen by her Facebook friends, about paramedics’ handling of a situation. A Facebook friend then took a screen shot of the post and shared it with hospital management—none of whom had access to the post through Facebook. The employee was suspended and issued a memo saying she had deliberately disregarded patient safety; she then sued on the grounds of SCA violations, among others. The court interpreted the 1986-era language and determined the post is protected under SCA, as it is an electronic communication “transmitted via an electronic communication service” that was in storage and not public. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Microsoft Funds Tech Policy Lab

Microsoft is donating $1.7 million to the University of Washington to found a Tech Policy Lab that will study and test new technologies in order to shape national policies in areas including consumer privacy, security, censorship, public records and wearable devices. Meanwhile, nine out of 10 statisticians believe consumers should worry about privacy issues related to the data being collected about them, and an article in the MIT Technology Review asserts that computer scientists at the National Security Agency are in breach of their own profession’s code of conduct—a list of 16 moral imperatives including “be honest and trustworthy” and “respect the privacy of others.” [GeekWire]

US – Microsoft Says Suit Isn’t Suitable Class-Action

Microsoft says a lawsuit against it seeking class certification should be denied such a designation because “little is ‘common’ among the tens of thousands of proposed class members.” The suit alleges Microsoft violated California’s Song-Beverly Act by asking in-state consumers for personal information without informing them such disclosures weren’t required for credit card purchases to be completed. The August 30 request for class certification says Microsoft’s training and policy documents do not instruct employees to inform customers that personal information disclosures are voluntary. Microsoft says each customer’s experience is varied and some class members knew providing data was voluntary. [Source]

US – LinkedIn Defends Data Practice, Seeks Class Dismissal

LinkedIn is seeking a dismissal of a suit that claims the company was deceptive with its data security and privacy statements. LinkedIn has stated its privacy policy is the same for both its baseline and premium subscriptions and that the plaintiff’s claim is unjustified. “So there is no question that what members are paying for in upgrading to premium services is the enhanced premium tools and capabilities—not LinkedIn’s promise in its privacy policy to secure personal information with ‘industry standards and technology,’” the claim states, while also citing document showing the plaintiff purchased the subscription before privacy statements were included on the transaction page. According to LinkedIn, “Plaintiff’s arguments ignore that the allegedly deceptive statement was not made in advertising or in other materials that can be reasonably understood to be aimed at inducing members to purchase premium subscriptions.” [Main Justice]

US – FTC Seeks Comment on Verifiable Consent Method

The FTC is seeking public comment on a proposed verifiable consent method submitted by Imperium, according to an agency press release. Under a provision within the new Children’s Online Privacy Protection Act Rule, organizations may submit new verifiable consent methods for FTC approval. In addition to seeking comment, the FTC examines whether the method is already covered by existing methods and whether it will ensure the individual providing consent is the actual parent. The comment period will be open until October 9. Full Story

US – America’s Most Privacy Friendly Companies

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches. [Forbes]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. Editor’s Note: More on the possible implications of this case here. [Mondaq]

Privacy Enhancing Technologies (PETs)

WW – New Apps Give Posts a Shelf Life

A proliferation of mobile apps allows users to control who sees their content on social media sites—and for how long., for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. “With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control,” said Spirit’s developer. [Reuters] [Apps make self-destructing posts for Facebook and Twitter with privacy on mind] SEE ALSO: [AUS: A Gift Shop Devoted Entirely To Privacy-Protecting Stealth Gear]


US – E-Z Pass Tracked for Secondary Purposes in New York City

A recent report by Forbes’ Kashmir Hill revealed how an E-Z Pass is not only tracked by toll booths but also by a New York City traffic management initiative. The news highlights both the benefits of Big Data use and the privacy concerns about secondary use, ubiquitous data collection, anonymization and other topics covered at last week’s Future of Privacy Forum and Stanford Law School event on Big Data and privacy. This Privacy Perspectives installment delves into some of the major takeaways from the event and what these paradigms could mean for businesses and consumers moving forward. [Forbes]

US – New Jersey School Employing RFID for Students and Staff

The Belleville Public School District is using RFID to track students and faculty in the school and on buses as part of a security effort aimed at preventing a tragedy such as that in Newtown, CT, last year. According to the report, the badges will come equipped with buttons to alert authorities to an emergency and will typically be set to “beacon” their ID numbers every 28 seconds to be captured by one of the 190 RFID readers in the school or installed on each of its 21 buses. The system may also be used to eliminate attendance-taking in class or “identify if the same individuals were repeatedly visiting the bathrooms simultaneously, possibly suggesting a drug-use or fighting issue.” Schools in Texas and New York are considering similar systems. [RFID Journal]

US – School District Aims to Stop Bullying by Watching Kids’ Social Media Use

A Southern California school district is trying to stop cyberbullying and a host of other teenage ills by monitoring the public posts students make on social media outlets in a program that has stirred debate about what privacy rights teenage students have when they fire up their smartphones. Glendale Unified School District hired Geo Listening last year to track posts by its 14,000 or so middle and high school students. The district approached the Hermosa Beach-based company in hopes of curtailing online bullying, drug use and other problems after two area teenagers committed suicide last year. The company expects to be monitoring about 3,000 schools worldwide by the end of the year, said its founder. [Source]


US – Hackers Find Ways to Hijack Car Computers and Take Control

In recent demonstrations, hackers have shown they can slam a car’s brakes at freeway speeds, jerk the steering wheel and even shut down the engine — all from their laptop computers. The hackers are publicizing their work to reveal vulnerabilities present in a growing number of car computers. All cars and trucks contain anywhere from 20 to 70 computers. They control everything from the brakes to acceleration to the windows, and are connected to an internal network. A few hackers have recently managed to find their way into these intricate networks. [Source]

WW – Warning Over Security of Baby Monitors

Security flaws in common baby monitors allowed hackers to break into the devices “easily” – and watch silently through hundreds of cameras. The faulty software allowed anyone with the right internet address to freely access the “feed” from Trendnet cameras – and has prompted an investigation by America’s FTC into the safety of “connected” devices. After 700 cameras were accessed, Trendnet has agreed to a 20-year security audit of its devices – and the FTC is to investigate the security of other “connected” devices in November this year. Security researchers have already shown that it is possible to access, for instance, the webcam in a web-connected television – prompting Samsung to issue a warning saying that families could consider covering the cameras when not in use. [Source] SEE ALSO: [TV makers aim to track what you watch] AND [SWE: ‘Lifelogging’ camera shrugs off privacy to seize the moment]


WW – NSA Reactions Abound in U.S., Canada, Brazil

The fallout from Edward Snowden’s U.S. National Security Agency (NSA) revelations is showing no sign of letting up. In the U.S., Sen. Edward J. Markey (D-MA) is asking for details from major cellphone carriers on how many government data requests they receive and how they respond. In Brazil, President Dilma Rousseff is asking legislators to support a bill requiring foreign companies to store data about their Brazilian clients on servers in that country in the wake of the NSA reports. And in Canada, Communications Security Establishment Canada “handed over control of an international encryption standard to the NSA, allowing the agency to build a ‘backdoor’ to decrypt data,” reports indicate. Ontario Information and Privacy Commissioner Ann Cavoukian has introduced a policy aimed at allowing privacy and counterterrorism surveillance to coexist in harmony, while a What’sYourTech report suggests almost half of Canadians “think it’s OK for the government to monitor our e-mail and other online activities.” [New York Times]

US – NSA Shares Raw Data with Foreign Intelligence Agencies

The U.S. National Security Agency (NSA) continues to make headlines, most recently with a report that the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about U.S. citizens,” The Guardian reports. Citing a document released by Edward Snowden, the report describes an intelligence-sharing deal between the NSA and its Israeli counterpart. Meanwhile, Yahoo CEO Marissa Mayer and Facebook’s Mark Zuckerberg are hitting back at critics of tech companies, saying U.S. government did a “bad job” of balancing people’s privacy and duty to protect. Tech executives did not tell the public about the NSA surveillance because, Mayer said, “Releasing classified information is treason” and would mean incarceration. [Source] [Source]

IN – Investigation: Gov’t Monitoring 160M Internet Users

An investigation into the upcoming launch of India’s Central Monitoring System (CMS) found “the Internet activities of India’s roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring ‘privacy of communications.’” The CMS plan has prompted privacy concerns in recent months, but The Hindu’s investigation found the government already has monitoring systems “deployed by the Centre for Development of Telematics for monitoring Internet traffic, e-mails, web-browsing, Skype and any other Internet activity of Indian users.” [The Hindu] [Source]

US – University to Install 2,000 Surveillance Cameras; ACLU Doesn’t Like It

The University of Kentucky is planning to install 2,000 surveillance cameras on campus. The plan has the American Civil Liberties Union (ACLU) concerned about such monitoring. “You’re capturing a lot of information about people who are completely innocent,” said ACLU of Kentucky’s Amber Duke. “That’s a lot of information that could be misused.” [The Huffington Post] SEE ALSO: [Made-in-B.C. web tool offers rare glimpse into world’s most remote, private areas]

Telecom / TV

CA – Wireless Firms Let Ottawa Monitor Devices, Data for Licence to Use Spectrum

When wireless companies apply this week to bid on newly available public airwaves, they will also be committing – again – to an unpublicized accord that governs how they will help police and intelligence agencies monitor suspects. For nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to monitor the devices that use the spectrum. The Sept. 17 kickoff of the auction-countdown process will underscore that commitment, made out of sight of most Canadians because it is deemed too sensitive by the government. Documents show that court-approved surveillance in Canada is governed by 23 specific technical surveillance standards known as the Solicitor General’s Enforcement Standards (SGES). Any firm taking part in a wireless auction can obtain a copy, but the contents are not available to the general public. But The Globe and Mail has obtained past and current versions of the accord, which governs the way that mobile-phone companies help police pursue suspects by monitoring telecommunications – including eavesdropping, reading SMS texts, pinpointing users’ whereabouts, and even unscrambling some encrypted communications. Wireless carriers are told they must be ready to hand over such data should police or intelligence agencies compel the release of the information through judicially authorized warrants. Such information goes well beyond traditional wiretaps, and also includes phone logs and keystrokes. Police and intelligence officials say the surveillance is crucial, given that it can help them gather evidence, make arrests and locate missing persons. [Source]

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US Government Programs

US – Authorities Use Border Crossings to Seize Devices

Newly released documents reveal how U.S. authorities use border crossings to seize travelers’ electronic devices without acquiring warrants to access the data. The “largely secretive process” allows the government to set up a travel alert for an individual—even if the person is not a suspect of an investigation—and then detain, seize or copy files stored on electronic devices. As part of a settlement reached with the Department of Homeland Security, the documents were disclosed to David House, a former fundraiser for the legal defense of Chelsea Manning. “I think it’s important for business travelers and people who consider themselves politically inclined to know what dangers they now face in a country where they have no real guarantee of privacy at the border,” House said. [The New York Times]

US – Govt Using Border Searches to Circumvent Fourth Amendment Protections

Documents recently released regarding the seizure of a laptop and other electronic media devices by border US agents suggest that the US Department of Homeland Security (DHS) may be using “travel alerts” to get a look at data for which they would not otherwise be granted a warrant. The documents relate to the case of David House, a Massachusetts man who had befriended Bradley Manning, now known as Chelsea Manning. Federal officials wondered whether House knew anything about a batch of documents that Manning had shared with WikiLeaks but which had not yet been published. House was placed on a “travel list,” and when he returned from a vacation in Mexico in 2010, federal agents seized his laptop, camera, flash drive and cell phone. The laptop was held for seven weeks, and a year after the incident, US agents said that House had done nothing wrong and they promised to destroy all copies of data made from his devices. The federal records were surrendered after a two-year battle with the ACLU, which sued the government on House’s behalf. The ACLU maintains that “the settlement documents demonstrate that the seizure of House’s computer was unrelated to border security or customs enforcement. It was simply an opportunity to conduct a suspicionless search that no court would ever have approved inside the country.” [ZDNet] [NBCNews] [AtlanticWire]

US Legislation

US – DEA Works With Telecom to Use Data Trove

The New York Times reports on the Hemisphere Project, a partnership between federal and local drug officials and AT&T. For at least six years, according to slides provided to the Times, law enforcement officials working on counter-narcotics operations with administrative subpoenas have had access to “an enormous AT&T database” containing decades of Americans’ phone calls. The government allegedly pays the telecommunications provider to place employees in drug-fighting units. The employees work with Drug Enforcement Agency officials and local detectives to provide phone data, often including location data, going back to 1987. The data—up to 4 billion phone records a day—is stored by AT&T and not the government. “Is this a massive change in the way the government operates?” queried a Columbia law professor. “No. Actually you could say that it’s a desperate effort by the government to catch up.” Meanwhile, in an op-ed, Ginger McCall, founder of Advocates for Accountable Democracy, writes about the future of technological surveillance, noting, “we are doing far too little to prepare ourselves.” [Full Story]

US – CA Senate Passes Breach Notification Amendment

California’s Senate has passed an amendment to its breach notification law that would expand the notification requirement to incidents involving personal information that would allow access to online accounts. SB 46 redefines personal information to include “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The bill also allows organizations to deliver notifications in electronic form but prohibits them from using an e-mail address that may have been compromised due to the breach. The future of SB 46 hinges on the passing of Assembly Bill 1149 as well; both must be passed and enacted prior to the start of 2014 in order to become law. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Do-Not-Track Disclosure Bill Would Have Broad Impact: Opinion

While California’s Do-Not-Track Disclosure bill (AB 370) has been sent to the governor, it has not yet been signed. The bill would amend the California Business & Professions Code (CalOPPA) to require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals as well as disclose whether third parties may collect personally identifiable information. “If AB 370 becomes law, it will have impact beyond California—CalOPPA purports to apply to any website that collects information from California residents,” Forsheit writes. [Information Law Group]

US – Lawmaker, HIPAA Provision Raise Gun Privacy Questions

A Maryland legislator is asking Attorney General Douglas F. Gansler about the legality of viewing confidential information on potential gun-buyers. Delegate Kevin Kelly (D-District 1B) has sent the AG’s office a letter seeking details on “whether it was legal for state police to allow up to 200 state employees from five agencies to view confidential information about prospective gun buyers,” the report states. Meanwhile, the Office for Civil Rights has sent the Office of Management and Budget a proposal “to lift legal barriers related to the HIPAA privacy rule that may prevent states from reporting mental health information to the National Instant Criminal Background Check,” HealthData Management reports. [The Washington Times]

US – Illinois Gov. Signs Student HIV Privacy Law

Illinois Governor Pat Quinn signed into law a bill to protect the privacy of students with HIV. The law, introduced by state Rep. La Shawn Ford (D-Chicago) means that the state Department of Public Health and local health departments are no longer required to notify school principals of a student’s positive HIV status. Ford has been trying to get this bill passed since 2008, noting that it is “not only important for the privacy and confidentiality for students, but is also important for public health.” [Austin Weekly News]

US – New Jersey 12th State to Pass Workplace Social Media Law

New Jersey Gov. Chris Christie has signed A2878, a law restricting employer access to the social media accounts of employees and perspective employees, making the state the 12th to pass such a law. According to a the terms provide exceptions for certain law enforcement-related agencies and allow for employers to implement and enforce policies on company-issued devices accounts or services; conduct investigations, and comply with requirements of the law. Employers who violate the law may face civil penalties of as much as $1,000 for the first violation and $2,500 for each subsequent violation. [Mondaq]

US – One-Hour Breach Reporting Provision Scrapped

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1. [GovInfoSecurity]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [Adweek]

US – California Suspends RFID Legislation

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.” [WIRED]

US – Reps. Call for Delay of Death Master File

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720, which would delay the publication of the Social Security Administration’s Death Master File. According to Allen American Star, if the bill passes, only death information released three years after a person’s death would be made available. The bill is an effort to combat the use of deceased individuals’ information for identity theft.

US – Minnesota Agencies See Spate of Data-Access Lawsuits

Five lawsuits have been filed against officials from the Minnesota Department of Natural Resources (DNR) and Department of Public Safety claiming one DNR official inappropriately accessed the information of 5,000-plus citizens. The employee has been fired and criminally charged in a separate case, but the officials say they are not liable for the man’s violations. Main Justice reports the defendants claim that under the Driver’s Privacy Protection Act there are protections for government agencies intending to shield agency officials from being responsible for violations by others who have access to the database. While the defendants are distancing themselves from the man’s actions, they argue that the act allows states to make driver’s license data available to law enforcement and other agencies and does not impose data access or monitoring rules on states. The former wife of a Duluth police officer has also filed a suit, claiming inappropriate access of her driver’s license data by the Duluth Police Department, St. Louis Country Sherriff’s Office and others. In both situations, plaintiffs claim the driver’s license database offers access to more sensitive information, namely health data and Social Security numbers, but the DNR defendants’ filing rejects these claims, citing an audit of law enforcement use of state databases.

US – States Taking Lead in E-mail, Location Privacy

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” [The Washington Post]

US – Oregon State Bill Would Track Drivers’ Mileage

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track drivers’ mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing, Stateline reports. Full Story

US – Long Shot Bill Would Prohibit NSA from Putting Backdoors in Encryption

A US legislator has introduced a bill that would prohibit the NSA from introducing backdoors into encryption. The bill was originally introduced in July, but has received renewed attention following recent revelations about the NSA’s snooping activities. It seeks to repeal the Patriot Act and the FISA Amendments Act of 2008. As currently written, the bill stands virtually no chance of passing out of committee, let alone reaching the floor. [Ars Technica]

Workplace Privacy

US – University Staff Object to Health Plan

Pennsylvania State University’s introduction of “Take Care of Your Health,” a wellness plan has sparked staff protests and allegations it “is coercive, punitive and invades university employees’ privacy.” Under the plan, nonunion employees must “visit their doctors for a checkup, undergo several biometric tests and submit to an extensive online health risk questionnaire that asks, among other questions, whether they have recently had problems with a co-worker, a supervisor or a divorce,” the report states. Those who do not participate face a $1,200 pay deduction annually. “You can’t force people to disclose the state of their marriage or fine them $100 a month,” one professor said. [The New York Times]


16-31 August 2013


US – New Report Shows Ohio Police Secretly Use Facial Recognition Technology

Local law enforcement agencies have started to implement facial recognition technology that could transform police departments across the country. This week, Chrissie Thompson, state capital reporter for The Cincinnati Enquirer, revealed that Ohio’s Bureau of Criminal Investigation has used facial recognition technology to match drivers license photos and surveillance footage for months—without telling the public. The program launched June 6 of this year, and Ohio Attorney General Mike DeWine learned of it two weeks later. Ohio is just one of 26 states that have implemented facial recognition technology. Reporter Chrissie Thompson discusses her investigation, and Attorney General DeWine defends the law enforcement’s use of this technology. [Source]

US – Facial Scanning Is Making Gains in Surveillance

The federal government is making progress on developing a surveillance system that would pair computers with video cameras to scan crowds and automatically identify people by their faces, according to newly disclosed documents and interviews with researchers working on the project. The Department of Homeland Security tested a crowd-scanning project called the Biometric Optical Surveillance System — or BOSS — last fall after two years of government-financed development. Although the system is not ready for use, researchers say they are making significant advances. That alarms privacy advocates, who say that now is the time for the government to establish oversight rules and limits on how it will someday be used. [New York Times]

WW – Google Glass App Being Designed to Read Emotions

Catalin Voss, an entrepreneur and Stanford student from Germany, is working on emotion-recognition tools that could improve education and training by monitoring engagement. The company, Sension,  is among a handful of businesses making strides in emotion-recognition technology. The tools can analyze facial expressions and vocal patterns for signs of specific emotions: Happiness, sadness, anger, frustration and more. There’s a broad array of potential applications, including potentially creepy commercial ones. But the broader goal is to make machines communicate with humans in more natural ways. In that sense, it can be seen as the latest step in the long history of human-computer interaction, a layer on top of motion sensors like Microsoft’s Kinect controller or voice-recognition services like Google Now and Siri. The machines can understand more than the defined meaning of words or gestures, putting them into the context of the feelings with which they’re expressed. Voss stresses that they’re building privacy protections into their apps: They don’t upload facial images, store anything on the phone or attempt to identify individuals through facial recognition (which is banned by Google for Glass). He added that the team has no interest in pursuing any marketing applications of emotion recognition. [Source]

WW – Pay-Per-Gaze Tracking Patent Revealed

Earlier this month, the U.S. Patent and Trademark Office published a gaze-tracking system proposed by Google to monitor the pupils of a user wearing a head-mounted device, such as Google Glass. Connected to a server, the tracking system could infer emotion by detecting pupil dilation and eye movement and could potentially offer “a mechanism to track and bill offline advertisements in the manner similar to popular online advertisement schemes,” the patent states. In other words, the system could charge advertisers when opted-in users gaze at a given billboard, magazine, newspaper or other media. Additionally, the patent specifies that “personal identifying data may be removed from the data and provided to the advertisers as anonymous analytics.” A report by The New York Times delves into ubiquitous data collection , specifically data collected from wearable devices where “Records of voices and events will be a permanent part of the Internet the way text is already, held forever and searched, mined and inspected.” [Fast Company]


CA – Survey: 60% Would Surrender Online Privacy to “Foil Terrorist Plots”

Only a small sliver of Canadians are concerned with keeping their data private, especially in the name of safety and anti-terrorism efforts, according to a survey released by the Canadian Internet Registration Authority (CIRA). About half of Canadians said it was “completely unacceptable” for governments to monitor citizens’ email and online activities, showing a pretty clear split between Canadians as to whether privacy is a priority. Yet that number shifted significantly when pollsters asked respondents if the Canadian government could monitor everyone’s email and other online activities, if officials said that might prevent future terrorist attacks. About 77% of Canadians polled, or three in four, said that would be “completely acceptable,” or “acceptable in some circumstances,” with about six out of 10 saying they would “be willing to give up their Internet privacy if it would help the government foil terrorist plots.” [CIRA Survey] [Source]


WW – Teens Turn to Friends for Advice on Settings Management

A new report from the Berkman Center for Internet and Society at Harvard University indicates that while teens generally figure out how to manage their online privacy themselves, 70% report they have sought advice from someone else. The people they turn to are generally friends, parents or other close family members. The report is based on a survey that polled 802 parents and their children ages 12 to 17 as well as focus group interviews with 156 participants. [Source]

US – IAPP/PLSC Award-Winning Papers Posted

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy.” Find Calo’s “Digital Market Manipulation“ here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. [Geekwire]

US – Prescription Rewards Program Raises Concern

A new prescription-drug rewards program gives store credit to opted-in customers for other nonprescription products. In February, CVS announced it was expanding its ExtraCare Pharmacy & Health Rewards program to include prescription drug purchases. According to the website, “each person must sign a HIPAA Authorization to join.” A representative from Privacy Rights Clearinghouse expressed concern, saying, “Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.” A CVS representative said, “We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers’ personal and health information,” adding, “We do not sell, rent or give personal information to any nonaffiliated third parties.” [Los Angeles Times]

WW – Researchers Earn Grant to Study Privacy Notices

The National Science Foundation (NSF) has announced it is investing $20 million in grants to more than a dozen universities to help tackle the “fundamental challenges” to the nation’s cybersecurity. One group of recipients, including researchers from Carnegie Mellon, Fordham and Stanford, aim to work on a multidisciplinary approach to create effective web privacy notices. The project’s lead investigator said, “If you read privacy notices, you quickly realize that they contain a lot of boilerplate text and that people seem to often be recycling entire sentences and even larger text fragments from one another,” adding, “This project will aim to exploit these types of patterns.” An NSF representative said its “investments in foundational research will transform our capacity to secure personal privacy, financial assets and national interests.” [National Science Foundation]


UK – Councils Sell Off Voter Information

More than 300 local authorities sold people’s names and addresses to more than 2,700 companies and individuals over five years, privacy campaigners have revealed. According to Freedom of Information Act requests made by Big Brother Watch, councils sold the edited electoral register – made of up all those people who register to vote and do not opt-out of the edited version – to pizza shops, estate agents, lobbyists and driving schools among others. The group calls on the Government to abolish the edited register or allow councils to offer people a permanent opt-out instead of the current system that requires people to opt out annually. Some 307 local authorities sold the edited electoral register to more than 2,700 different companies and individuals between 2007 and 2012. Big Brother Watch director Nick Pickles said: “Registering to vote is a basic part of our democracy and should not be a back door for our names and addresses to be sold to anyone and everyone. [Source]

IN – Indian Government Considers Ban on Gmail for Official Use

In what appears to be a reaction to the alleged Internet snooping by U.S. government agencies on users of U.S. based email services, the Indian government is said to be planning a ban on the use of U.S. based email services for official government use. The ban will force government workers to use only official Indian government email servers for official use. Many workers, including some government ministers, use hosted email accounts as they are easier to use and have better features than official email systems. India’s IT minister, Kapil Sibal, said there is no evidence of the U.S. accessing any Internet data from India [Times of India] [ZDNet] [Economic Times]

CA – Toronto Agencies Still Ask for Immigration/Citizen Status

A survey finds it’s risky for undocumented people to seek help from a service agency; half will “ask” about their status, and nearly one in three will “tell.” Almost half of Toronto’s community agencies ask for clients’ immigration status, and 30% say they would share the information with police and immigration officials. Those statistics are from a new city-funded report, the first ever to survey community service agencies about their policies on serving “non-status residents” — a growing population of migrants who are in Canada without immigration status. More than one-third of the participating agencies said they did not know or were uncertain about their legal rights and obligations if approached by law or immigration enforcement inquiring about a client. Some 71% said they did not have a formal policy about serving this population.The 32-page report will be released this week, as Toronto City Council is reviewing its municipally funded services in a bid to ensure they’re available to all residents, “legal” or not. In February, Toronto was declared to be Canada’s first “sanctuary city” for migrants without status. [Source]

US – Illinois Tollway to Post Names of Scofflaws

Motorists who use the Illinois Tollway but refuse to pay tolls and fines may already have collection agents chasing them, but by the end of the week the names of the most egregious scofflaws could also be posted on the Tollway’s website. The list will name those who have racked up more than $1,000 in tolls and fines, officials said. Until now, the Tollway had been reluctant to publicize the names. But Gov. Pat Quinn on Tuesday signed legislation allowing the Tollway to do so, along with the amount of fines and unpaid tolls owed by each violator. The Tollway’s action follows similar public shamings by agencies in Texas and on the East Coast. Last year the Illinois Tollway estimated that deadbeats had racked up about $300 million in unpaid tolls and fines since 2001. The Tollway said it issues about 1.4 million first-violation notices every year. The agency collected more than $33 million in revenue from toll violations in 2011, according to a recent audit. [Source]

US – DOE Notifies Employees of Second Data Breach This Year

The US Department of Energy (DOE) is notifying 14,000 current and former employees that their personally identifiable information was compromised when someone gained unauthorized access to an agency human resources system. The specific information compromised was not disclosed. The incident, which occurred in late July, is the second reported data breach at DOE this year. In February, DOE notified a few hundred employees about a breach launched by “sophisticated attackers.” [SC Magazine] [DarkReading]


US – Groklaw Announces Shut Down Due to Decline of eMail Privacy

The website Groklaw has announced that it will shutter operations to avoid US government surveillance. Groklaw promises its sources anonymity, but the revelation of the surveillance practices mean that the site can no longer ensure anonymity. Groklaw founder Pamela Jones pointed to the recently revealed US intelligence practice of gathering email from outside the country and storing the data for years in the hope that technology will eventually allow those protected by encryption to be read. Over the last several weeks, two encrypted email services – Lavabit and Silent Circle — have shut down operations rather than face the likelihood of being served warrants demanding customer data. [The Register] [ComputerWorld] [BBC] [Ars Technica] [German government refutes Windows ‘backdoor’ claims]

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Full Story]

Electronic Records

US – Electronic Data Does Not Constitute ‘Tangible Property.’

Insurance company Liberty Mutual has filed a lawsuit against the supermarket chain Schnucks seeking release from liability in relation to a computer security breach Schnucks suffered earlier this year. Between December 2012 and March of this year 2.4 million credit and debit cards used at 79 of Schnucks’ stores were compromised. As a result eight lawsuits have been filed against Schnucks by customers whose cards were hacked. Liberty Mutual is refusing to meet those claims stating that its coverage only applies to property damage and bodily injury and that electronic data does not constitute ‘tangible property.’ [Fox] [SupermarketNews] [Softpedia] SEE ALSO: [Canada: Tracking device may cut car insurance]


WW – Password-Cracking Just Got Smarter

Passwords just got a lot easier to crack. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.” [Ars Technica]

EU Developments

EU – New EU Rule Requires Breach Notification Within 24 Hours

As of August 25, telecommunications operators and Internet service providers (ISPs) in the European Union (EU) must notify authorities within 24 hours of detecting a data security breach. While notification is already required, the mandatory 24-hour window is raising concerns because organizations will not have adequate time to conduct forensics. There is also movement toward broadening the scope of the requirement to include all industries. [SC Magazine] [] [Infosecurity-magazine] [EU Data Breach Notification Rule: The Key Elements] See also: [Berlin Commissioner Talks Surveillance, Big Data and New Rules on Privacy] and also [New major incidents in 2012 report by EU cyber security agency ENISA]

EU – Breach Notification Schemes Prompt “Major Concern”

A draft opinion from the European Parliament’s Civil Liberties, Justice and Home Affairs Committee by Swedish MEP Carl Schlyter cites a “major concern” regarding two data breach notification schemes proposed under the draft Network and Information Security Directive and the planned General Data Protection Regulation. “A major concern that remains regards the relationship of the proposed system to the notification system proposed under the General Data Protection Regulation, and their effective coexistence, which is one of the reasons we highlight the fact that any EU cybersecurity legislation should follow the adoption of the General Data Protection Regulation, not precede it,” he writes. [Out-Law]

UK – Aberdeen City Council Fined GBP100,000 For Employee Data Breach

The United Kingdom’s Information Commissioner’s Office (ICO) has fined the Aberdeen City Council the sum of GBP100,000 (US$150,000) resulting from the leaking online of sensitive data relating to vulnerable children. The data was accessed on an employee’s home PC from where a file sharing program installed on the PC uploaded the information and shared it online. The information was first leaked on the 14th November 2011 and was detected by another member of staff on the 15th February 2012. Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said “As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.” [ITPro] [] [The Register]

UK – Google Says UK Privacy Law Doesn’t Apply

Google has told British consumers in a privacy claim that it doesn’t have to answer to UK courts and the country’s privacy laws don’t apply to the company. Google will fight UK Safari users’ right to bring a case in the country and will force the plaintiffs to instead file the suit in California. The plaintiffs are seeking damages, disclosure and an apology from Google for allegedly circumventing users’ security settings and tracking them on Apple’s Safari browser, the report states. [IDG News Service].

Facts & Stats

US – COPPA Changes Leading to “Plummeting” Ad Revenue

COPPA changes that went into effect July 1 are creating headaches for publishers of “mom and pop” websites who say their ad revenue is plummeting. Judy Miller, founder of Apples4TheTeacher, a resource for teachers that also attracts children. Said, “The law is so subjective for what is a kids’ site and what is a mixed site, it just has thrown me into a tailspin.” The Interactive Advertising Bureau’s (IAB) Mike Zaneis said, “Unfortunately, this was all too predictable, as the IAB warned for two years that the impact of the new COPPA rules would mean less revenue for child-directed sites and fewer free offerings for families.” [AdAge]


US – Facebook friends could change your credit score

A handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.” [CNN] [Source]


CA – Sunshine Summit: Who’s Defending Your Right to Know?

In celebration of the 10th annual Right to Know Week, the Privacy and Access Council of Canada (PACC) is presenting the Sunshine Summits to raise awareness and generate discussion about access rights and practices. Experts from government, industry and academia will join together at Sunshine Summits in Toronto (September 23), Calgary (September 25) and Victoria (September 27) to explore Who’s Defending Your Right to Know. [Further details and registration] See also: [US: Last of the secret Nixon tapes released; include meeting with USSR’s Brezhnev]

US – Additional Guidance for Open Data Project

The White House has released additional clarification and detailed requirements to help agencies achieve open data project objectives. An executive order in May affirmed the importance of the open data project, noting that open data are a boon to economic growth, innovation, and government efficiency. Agencies must submit open data progress reports by November 1, 2013. [NextGov] [Project Open Data Implementation Guide]

US – Bloomberg Releases Data and Privacy Practice Review

In response to revelations last May that Bloomberg News and some of its journalists were using terminals that had access to sensitive financial subscriber data, the organization conducted and has now released the results of a comprehensive external review of its data and privacy practices. Conducted by Hogan Lovells and Promontory Financial Group, the review examined Bloomberg news stories, employees, client data systems and other documents, to locate and address the company’s governance framework. This exclusive for The Privacy Advisor looks into some of the recommendations and how privacy pros can use this example within their organizations to bolster the need for strong data and privacy frameworks. [Source]

UK – FOI Reforms In Effect September 1

As of September 1, amendments to the Freedom of Information Act go into effect, meaning public bodies in the UK will be required to disclose datasets “in an electronic form which is capable of re-use” when requested, subject to it being “reasonably practicable” to do so. The ICO has issued guidance on the law and advised authorities to consult its code of practice on anonymising personal data before responding to FOI requests. []

Health / Medical

US – Privacy, Pharmacy Groups at Odds Over Refill Reminder Funding Rule

The World Privacy Forum — a privacy rights group — is challenging an effort by the Specialty Pharmacy Association of America (SPAARx) to convince HHS to change a privacy rule that would limit funding for prescription refill reminder programs. The battle between privacy advocates and the pharmaceutical industry highlights the debate over the use of data in patients’ health records without patient consent. [Source]

US – Study: Dearth of Laws May Delay Mobile Health Apps

A recent report by TrustLaw Connect, a pro bono legal initiative of the Thomson Reuters Foundation, has shown that most African countries have not implemented laws to protect patient data, delaying efforts to launch mobile healthcare (mHealth) applications. “The primary risk of not having explicit laws assuring patient confidentiality is that many people may avoid accessing necessary services,” says William Philbrick, of the mHealth Alliance, noting this is “particularly true when we are talking about HIV.” Esther Ogara, head of eHealth at Kenya’s health ministry, says while it’s important to make laws to safeguard patient data, “countries must continue to deploy mHealth tools to save lives while they formulate laws.” [SciDevNet]

UK – Medical Details to Be Sold For £1

THE medical records of millions of British patients are to be sold off for £1 each. Backing the plan: Health Secretary Jeremy Hunt. GPs will send the individual files to a central database from next month. Private firms such as Bupa can then apply to buy them for research. But doctors do not have to tell patients about the plan, which has been slammed by privacy campaigners. Phil Booth, of campaign group medConfidential, claimed NHS England plans to backdate it 20 years. Shami Chakrabarti warns over privacy protection “The more people who have access to sensitive data, the greater risk it will not be protected properly.” He said: “This is a wholesale rewriting of the deal between patient and doctor. “When people go to the GP, they go for medical treatment, they don’t expect commodification of their patient records.” [Source]

US – More Healthcare SMEs Eyeing Breach Insurance

In light of a growing number of healthcare breaches affecting small- and medium-sized organizations, many are looking at acquiring cyber insurance. A recent Experian/Ponemon Institute study found a growing trend of organizations across industry sectors looking toward such protection. Experian Data Breach Resolution Vice President Michael Bruemmer said specifically with healthcare, 32% of organizations polled already have insurance and an additional 41% are considering it. Bruemmer also said he has seen a shift toward smaller healthcare practices showing interest in cyber insurance coverage. [American Medical News]

Horror Stories

US – Regulators, State AG to Investigate Advocate Breach

Federal regulators and the Illinois Attorney General’s Office confirmed this week they will investigate Advocate Medical Group’s data breach. The breach was the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services (DHHS) since its mandatory breach notification rule came into effect in September 2009, the report states. The July 15 breach affected more than four million patients seen by Advocate Medical Group from the early 1990s through July. Affected patients have begun receiving notification letters. DHHS investigates any breach affecting more than 500 people, but wouldn’t comment on the Advocate case citing the pending investigation. [Chicago Tribune] [Healthcare IT News: Second Largest HIPAA Breach Ever Affects Four Million] See also: [Ontario nurse fired after viewing 1,300 patient records]

US – Judge Dismisses Class-Action; Breaches Affect Business and School

A California federal judge has dismissed a proposed class-action accusing Symantec of concealing a data breach. Meanwhile, Sustainable a data breach at the Bonneville Power Administration has compromised the data of 3,100 employees. And the University of Mississippi has acknowledged that an employee mistakenly attached a spreadsheet containing nearly 2,300 students’ names, Social Security numbers, grade-point averages, races, genders and other details to a mass e-mail to students. [Law360]

US – Judge Approves $20M Facebook ‘Sponsored Stories’ Settlement

A federal judge has approved a class-action settlement that will require Facebook to pay $20 million for putting users in their “Sponsored Stories” advertising program without their permission. Originally, U.S. District Judge Richard Seeborg had said he had “serious concerns“ over the deal because it paid $10 million to charity but nothing to class members. The settlement now divides the $20 million among charities, the class-action attorneys and the 125 million U.S. Facebook users affected. [WIRED]

WW – Facebook to Compensate Users for Sharing Details on Ads

Approximately 614,000 Facebook users whose personal details appeared in ads on the site without their permission will each receive a $15 (£9.65) payout. The names and pictures of an estimated 150 million Facebook members were used in Sponsored Stories, but only those who responded to an email from the site earlier this year will be compensated. Privacy organisations will also receive some of the $20m (£12.9m) settlement. Facebook said it was “pleased” the settlement had been approved. The payout was approved by a US court following a class action filed against Facebook in 2011 by five of its users. The group said their details had been used to promote products and services through the site’s Sponsored Stories programme, without paying them or giving them the choice to opt-out. US District Judge Richard Seeborg acknowledged that the $15 payments were relatively small, but said it had not been established that Facebook had “undisputedly violated the law”. He added that the claimants could not prove they were “harmed in any meaningful way”. The court estimated that Facebook had made about $73m (£47m) in profit from the Sponsored Stories featuring details of the 150 million members. The settlement also requires Facebook to make changes to its “Statement of Rights” and to give users more information and control over how their details are used in the future. This move was estimated by the plaintiff’s lawyers to cost Facebook $145m in advertising revenue. Approximately 7,000 Facebook users opted out of the settlement altogether, allowing them to bring their own legal action against the social network. [Source]

US – Federal Reserve Employee Data Exposed

Law enforcement is working with the Federal Reserve to investigate a hacking incident that has resulted in the release of employee data online. Individuals claiming to be part of the hacktivist group Anonymous have claimed responsibility for posting online the “full details of every single employee at Federal Reserve Bank of America,” adding central banks have “systematically defrauded the planet.” The bank says the data was likely accessed more than six months ago, through a breach of its Emergency Communications Systems and includes names, phone numbers and e-mail addresses, among other information. [Bloomberg]

US – Citi Fined US$55,000 for Data Breach

The state of Connecticut has fined Citi US$55,000 as a result of a security flaw which led to a data breach exposing the personal details of 360,000 customers and the subsequent theft of US$ 2.7 million. The account details were accessed in May 2011 when a flaw in Citi’s Account Online Web-based service allowed criminals to log into the system, and by simply changing a few characters in the URL they were able to access other accounts. According to Connecticut’s Attorney General George Jepsen, Citi were aware of the vulnerability and that it could have existed for three years before the attack. Not only will Citi pay a fine of US$55,000, it has agreed to engage a third party to conduct a security audit of the Account Online system and will offer two years of free credit monitoring for any affected customers from the state. [Finextra] [Harford Business]

US – Northrup Grumman Data Breach

Employees of and applicants to Northrup Grumman’s linguist program have been notified that their personal data were compromised in a security breach. More than 70,000 people were affected. The incident: unauthorized database access sometime between November 2012 and May 2013. [SC Magazine]

Identity Issues

US – New Class-Action Sought Over UDIDs

A group of consumers seeking class-action status is alleging Apple’s pledge that it would restrict access to devices’ 40-character unique identifiers (UDIDs) “has thus far been ineffective and leaves class members’ personal information exposed.” The consumers, who had previously sued Apple after reports alleged developers could access iPhone and iPad UDIDs, have filed a motion asking U.S. District Court Judge Lucy Koh to grant them class-action status. While Apple does not define UDIDs as personal information, “the consumers argue that the identifiers become personally identifiable information when combined with other supposedly anonymous information, such as ZIP codes, occupation or area code,” the report states. [Media Post News] See also: [DMA Not A Supporter of “Reclaim Your Name” Campaign]

US – Texas Pastafarian Becomes First In U.S. to Wear Colander in License Photo

Trips to the DMV don’t typically elicit genuine smiles, but from beneath a metal pasta strainer, Texas Tech student and practicing Pastafarian Eddie Castillo flashed the “biggest, cheesiest” one he could muster last week. Castillo told KLBK that the triumphant moment came after a lengthy fight with the state’s Department of Public Safety that the unusual headgear was protected as part of his religious beliefs. Castillo is the first American to successfully have his government-issued photo identification taken while wearing a colander, though DPS officials are reportedly planning to follow up with Castillo in order to “rectify” the situation. Others have tried unsuccessfully, and Castillo told KLBK that he was surprised at his victory, which he called a “political and religious milestone for all atheists everywhere.” [Source] SEE ALSO: [Germany to add third gender option to birth certificates]

Internet / WWW

WW – NSA Surveillance Network Covers 75% of U.S. Web Traffic

The surveillance network set up by the National Security Agency (NSA) intercepts more U.S. Internet communications than has been publicly revealed. The system, allegedly designed to target foreign communications for intelligence purposes, has the ability to reach approximately 75% of all U.S. Internet activity—including, in some cases, the ability to retain written content of e-mails sent between Americans and domestic phone calls made via the web, the report states. One U.S. official, however, said the NSA is “not wallowing willy-nilly” though domestic communications, adding, “We want high-grade ore.” [The Wall Street Journal] [NBC News] [CNN] See also: [New Zealand has direct access to US surveillance]

WW – Project Loon Raises Concerns

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don’t have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google’s claims about the Loon balloons’ navigability are true, it is in fact an ‘unmanned aircraft,’ sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.” [Source]

WW – The Internet of Things: Baby Monitor Hacked

A Texas family heard noises coming from their toddler’s bedroom through their video baby monitor. A man was yelling obscenities at their child, and when the parents entered the room, he yelled obscenities at them as well. The family had taken security precautions, including enabling a firewall and establishing passwords for their router and the baby monitor camera, which connects to their Wi-Fi network. [BBC] [CNET] [NBCNews] SEE ALSO: [Webcam spying goes mainstream as Miss Teen USA describes hack]

Law Enforcement

BC – Police Tech Could Stop Crimes Before They Even Happen

Police technology is getting closer and closer to being able to stop crimes before they occur. The technology will draw from multiple data sets to predict that a specific crime will probably occur in a specific location at a specific time, he said, so police will know where to go before a crime has been committed. “We will actually be deploying police units preemptively to where crime isn’t happening, but where we’re predicting it might,” said Prox. Police cars are equipped with mobile terminals with touch screens for easy access to the data while on the go, so officers can make their own decisions on where they should be. The customized computer system from IBM has been used since 2007, and is making Vancouver’s police force leaders in North America, keeping pace with the likes of New York and Los Angeles. In addition to preventing crime, “big data” can also be used to solve cases traditional techniques couldn’t crack, said Prox. [Source]

CA – Calgary Planning to Put Cameras on More Police

Take a police-eye view of a driver getting a ticket via the body cameras that will soon be used by many more Calgary police officers after a pilot program was deemed a success. After testing body-worn cameras on a small group of officers for nine months, the Calgary Police Service has decided it wants to eventually equip all its uniformed officers with the devices. But police are still developing policies and guidelines about how the cameras will be used and what authorities will do with the recordings they capture — and privacy experts said it’s essential to address those questions before going much further. “One of the principles about privacy is openness and transparency. Their policies and practices should be readily available to the public,” said Kelly Ernst, senior program director at the Sheldon Chumir Foundation for Ethics in Leadership. “They probably shouldn’t be putting the cart before the horse.” [Source] See also: [US: Asiana crash photo leak prompts helmet cam ban]


WW – Researchers Show Method of Sneaking Malicious Apps into Apple Store

Researchers have demonstrated a method of creating malicious apps that evade detection by Apple’s app review. The apps, dubbed Jekyll malware, use program paths that do not exist during the app review process. [NBC News] [Information Week]

US – Apple Updates App Store Guidelines per COPPA Revision

Following the legislative update to the Children’s Online Privacy Protection Act in July, Apple has updated its App Store Review Guidelines. The revised guidelines offer stronger privacy protections and limit the way apps can handle user information. They also contain a new provision on Kids Apps, which apply to children under the age of 13. That provision requires apps to have a privacy policy and be made for kids within the age ranges of five and under, six to eight or nine to 11. Kids Apps rules also forbid apps from serving ads through behavioral targeting. [Information Week]

HK – PCPD: “Do No Evil” App Invades Privacy

Hong Kong Privacy Commissioner for Personal Data (PCPD) Allan Chiang Yam-wang has “found mobile app Do No Evil had supplied sensitive personal data—including names of litigants, partial identity card numbers, addresses, claims amounts and company directors’ data—to users without voluntary consent.” The PCPD found the smartphone application, which allows members of the public to access a database of millions of litigation records “seriously invaded” privacy, the report states. “I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire,” the PCPD said. The PCPD’s actions are receiving criticism from a corporate governance activist. [South China Morning Post]

WW – Android Malware Spreading Through Mobile Ad Networks

Malware targeting Android devices has been found to be spreading through mobile advertisement networks. Many developers include advertising frameworks in their apps to help boost profits. Advertisements in mobile apps are served by code that is part of the app itself. An attack scheme in Asia involved a rogue ad network pushing code onto devices. When users download and install legitimate apps, the malware prompts users to approve its installation, appearing to be part of the process for the app they have just downloaded. [ComputerWorld]

US – Study: Teens Really Do Care About Privacy on Their Smartphones

More than half of teens who use mobile apps say they avoid downloading some of them because of concerns about personal information being shared with others, including location-based data. And a quarter of teens say they’ve even uninstalled apps once they learned the apps might be collecting “personal information that they didn’t wish to share.” The findings are from the Pew Internet Project’s new report, “Teens and Mobile Apps Privacy,” which says that 58% of all U.S. teens, ages 12 to 17, have downloaded apps to their phones or tablets. For teen girls, location information “is considered especially sensitive,” Pew said in its report. A majority of them “have disabled location-tracking features on cellphones and in apps because they are worried about others’ access to that information.” In its survey of 802 teens, ages 12 to 17, and their parents, Pew found:

  • 58% of all teens say they’ve downloaded apps to their phone or tablet.
  • 51% of app users say they’ve avoided certain apps because of privacy concerns.
  • 26% of app users say they’ve uninstalled an app after they found out it was collecting “personal information that they didn’t wish to share.”
  • 46% of app users say they have turned off location-tracking features on their phones or in an app “because they were worried about the privacy of their information.”
  • Girls are more likely than boys to disable location-tracking features, 59% to 37%.

However, this privacy concern isn’t totally cause for parents to celebrate. “Some of the people” teens might be concerned about being tracked by are — perhaps not surprisingly — “their own parents,” Pew noted. “As early as 2009, the Pew Internet Project found that about half of parents of teen cellphone owners said they used the phone to monitor their child’s location in some way.” [Source]

WW – ‘Boyfriend Tracker’ App Pulled Over Privacy Concerns

Brazilians were outraged when they learned their country was a top target of the U.S. National Security Agency’s overseas spying operation, with data from billions of calls and emails swept up in Washington’s top secret surveillance program. Yet when it comes to the cloak and dagger effort of catching philandering lovers, all high-tech weapons appear to be fair game — at least to the tens of thousands of Brazilians who downloaded “Boyfriend Tracker” to their smartphones before the stealthy software was removed from the Google Play app store last week, apparently in response to complaints about privacy abuses and its potential to be used for extortion or even stalking. The app, called “Rastreador de Namorados” (Portuguese for Boyfriend Tracker), promises to act like a “private detective in your partner’s pocket.” Functions include sending the person doing the tracking updates on their partner’s location and forwarding duplicates of text message traffic from the targeted phone. There is even a command that allows a user to force the target phone to silently call their own, like a pocket dial, so they can listen in on what the person is saying. [Source]


SA – South African National Assembly Passes POPI

Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. [Privacy Tracker]

Online Privacy

WW – Facebook Changes Include Expanded Facial Recognition

Facebook has announced that it is “updating its privacy policies to clarify how the personal information of its more than one billion users” is collected and used—including at least one change: the expanded “use of facial recognition software to include profile pictures.” Some of the language is being included to comply with the recent $20 million settlement of a lawsuit over Facebook’s “Sponsored Stories” feature. Chief Privacy Officer Erin Egan, who outlined the changes to two legal documents, explained, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.” [The Wall Street Journal] See also: [US: Here’s The Most Amusing Way To Learn The Depressing News About Your Vanishing Privacy]

WW – Facebook Says Countries Sought Data on 38,000 Users First Half of 2013

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80% of those requests. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users. [Reuters] See also: [Researcher posts Facebook bug report to Mark Zuckerberg’s wall]

WW – LinkedIn to Allow Teens

Professional networking site LinkedIn will soon welcome teens ages 14 and up. The service was previously only available to users aged 18 and up, but it will launch “University Pages” in an effort to help college-bound students network. The change required LinkedIn staff to do some research on how to protect teens’ privacy online. Privacy settings for teens will include hiding birth dates, preventing their profiles from appearing in public search engines and only allowing their photos to be visible to “first-degree” connections. [Forbes]

US – Peter Swire Quits Group Tasked With Creating Out Do Not Track Standard

DNT of Co-Chairman Peter Swire has left the W3C’s working group tasked with creating a Do-Not-Track browser standard. “The 110-member international group was formed two years ago to unite all stakeholders on a tracking standard. But by the end of last year, the group was still nowhere near consensus, and browser companies such as Mozilla and Microsoft began to go their own way with their own browser solutions, causing a controversy with the interactive advertising community,” the report states. Swire, who was recently named to the Obama administration’s NSA review panel, wrote he is leaving due to the appointment, citing a “sense of responsibility” to serve on that panel, the report states. [Adweek] [FTC Getting Impatient on DNT]

Other Jurisdictions

NZ – New Zealand Government Passes NSA-Style Snooping Bill

New Zealand has passed a hotly-disputed bill that radically expands the powers of its spying agency. The legislation was passed 61 votes to 59 in a move that was slammed by the opposition as a death knell for privacy rights in New Zealand. The new amendment bill gives the Government Communications Security Bureau (GCSB) – New Zealand’s version of the NSA – powers to support the New Zealand police, Defense Force and the Security Intelligence Service. Opposition to the legislation has voiced concerns it will open the door to the NSA-style monitoring of New Zealand citizens in violation of their rights. A recent survey by Fairfax Media-Ipsos found that three quarters of New Zealand’s population is “concerned by the law.”[Source]

RU – Russian Senator Seeks Probe Twitter’s Compliance With Personal Data Law

Russian Sen. Ruslan Gattarov says Twitter’s privacy policies violate Russian and European data protection laws. Gattarov has asked the prosecutor general, the head of the federal communications agency and the Council of Europe’s data protection commissioner to conduct an investigation. He alleges certain parts of Twitter’s policies violate Russian users’ rights, including the omission of explanation for the reason personal data is collected and the lack of a translation of part of its policy into Russian. [Rapsi News]

WW – Tech Giants Concerned About Proposed Brazilian Law

Brazil is currently crafting its first nationwide set of data protection and Internet governance laws. Recent amendments to the country’s Internet Constitution, or the Marco Civil da Internet, have raised concerns among some U.S.-based tech companies. A new amendment would require data to be stored locally, causing representatives from Google and Facebook to raise red flags. Facebook’s Bruno Magrani has said the company is concerned because it would be “an enormous technical challenge” for the company and could jeopardize its service in Brazil. Part of the thinking behind storing data locally, according to Foreign Policy, is to protect Brazilians from U.S. government surveillance. [ZDNet]

Privacy (US)

US – Leaked NSA Audit Shows Agency Violated US Citizens’ Privacy

Leaked documents indicate that the US National Security Agency (NSA) has run afoul of privacy laws thousands of times since 2008. That year, Congress passed the FISA Amendments Act, which broadened the NSA’s data collection authority “in exchange for regular audits from the Justice Department and the Office of the Director of National Intelligence and … reports to Congress and the surveillance court.” Although NSA Director General Keith Alexander said that the agency has not abused surveillance powers and that it does not store data on US citizens, it has in fact done both. One of the leaked documents, a May 2012 NSA internal audit, listed nearly 2,800 incidents over the past year. [Washington Post] [WIRED] [The Register]

US – FISA Court Admonished NSA for Misrepresenting Surveillance Program

A document declassified by US intelligence officials shows that the Foreign Intelligence Surveillance Court criticized the NSA for providing misleading information about a surveillance program. The FISA Court opinion is reproachful of the NSA for misrepresenting the scope of the surveillance. The opinion found that some NSA surveillance activity violated the Fourth Amendment. [Washington Post] [ZDNet] [WIRED] []

US – President Meets with Surveillance Review Panel

President Barack Obama met with the panel he requested to review U.S. surveillance programs on the collection of telephone and Internet data for the first time on Tuesday. Obama announced the panel’s establishment earlier this month, saying, “It’s not enough for me, as president, to have confidence in these programs. The American people need to have confidence in them as well.” The panel will provide the president with interim findings in 60 days, and its goal is to examine how the U.S. “can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties.” [Bloomberg]

US – US Surveillance Guidelines Not Updated For 30 Years, Privacy Board Finds

Barack Obama’s new privacy watchdog has delivered its first bark, with a letter to intelligence chiefs urging them draft stronger rules on domestic surveillance, something it revealed had not been updated for 30 years. The intervention of the Privacy and Civil Liberties Oversight Board, its first since the appointment of new staff by the White House earlier this year, came as Obama acknowledged that technology was outpacing the checks put in place to protect privacy and said the National Security Agency was “scary to people”. Hours earlier, the Privacy and Civil Liberties Oversight Board (PCLOB) wrote to director of national intelligence James Clapper and the Department of Justice calling for them to begin formulating new guidelines to reflect recent advancements in surveillance capabilities. PLCOB also requested that “both the attorney general and the director of national intelligence work together to focus the attention necessary to update each element of the intelligence community’s procedures to collect retain and disseminate US persons’ information”. It said procedures should capture “both the evolution of technology and the roles and capabilities of the intelligence community since 9/11”. “Specifically, the board would appreciate receiving by October 31, 2013, an agency-by-agency schedule establishing a time frame for updating each agency’s guidelines,” added chairman David Medine. “In the meantime, the board would appreciate a briefing on the status of the guidelines and process for reviewing and updating them.” [Source]

US – FTC Announces $3.5M FCRA Settlement

The Federal Trade Commission (FTC) has announced a settlement with Cetergy Check Services, Inc., for failing to correct or delete inaccurate consumer information in a timely manner, violating provisions of the Fair Credit Reporting Act (FCRA). The agreement includes a $3.5 million civil penalty for the check-verification company due to “knowing violations…that constituted a pattern or practice of violations.” Meanwhile, the Future of Privacy Forum has recorded a podcast with Prof. Chris Hoofnagle about his essay “How the Fair Credit Reporting Act Regulates Big Data,” in which he points to consumer reporting as the first Big Data initiative and argues that use-based regulation hasn’t been effective. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – OMB Releases Privacy Guidance on “Do-Not-Pay Lists”

Office of Management and Budget (OMB) Director Sylvia Mathews Burwell has released mandatory guidance for agencies implementing the “Do-Not-Pay List” of contractors considered ineligible for government work. The memo also outlines how this can be done while adhering to laws that protect privacy. The memo also lays out the legal procedures for using an online tool designed for a “single point of entry” through which agencies can access data on determining a contractor’s eligibility for a benefit, grant or contract award, the report states. [Government Executive] [FierceGovernment]

US – Coalition of AGs Protest Navigator Program

New hires under the Affordable Care Act could threaten the private information of health insurance candidates, says Florida Attorney General Pam Bondi. Joined by a dozen other Republican state AGs, Bondi wrote a letter to Department of Health and Human Services (DHHS) Secretary Kathleen Sebelius arguing that DHHS’s forthcoming “navigator” program—designed to help Americans navigate paperwork of the new healthcare system—puts patients at risk. Bondi said those hired as navigators will not undergo background checks, meaning individuals’ personal information could fall into the wrong hands. “What if they’ve been convicted of committing identity theft or grand theft before?” Bondi said. “They could potentially still become a navigator.” [The Hill]

US – Judge Says Changing IP Address and Using Proxies May Violate CFAA

A federal judge in California has ruled that changing IP (Internet protocol) addresses or using a proxy server to access a public website from which a user has been banned constitute violations of the Computer Fraud and Abuse Act (CFAA). The case involves a company that aggregated and republished advertisements from Craigslist. The company, 3taps, received a cease-and-desist letter from Craigslist, and Craigslist blocked IP addresses associated with 3taps. The company used alternate IP addresses and proxy servers to get around the blocks. [Ars Technica]

US – Opinion: Final FIPP Is Crucial for Federal Privacy Programs

As federal programs as diverse as the National Security Agency and the Drug Enforcement Agency come under scrutiny for their privacy practices, Mary Ellen Callahan, former CPO at the Department of Homeland Security, says federal agencies of all kinds can avoid privacy disasters by adhering to the most crucial of Fair Information Practice Principles: auditing and accountability. In this latest post for Privacy Perspectives, Callahan lays out in detail how privacy worked at DHS under her watch and why CPOs need “holistic investigatory authority.” [Source]

US – Opinion: Who’s the Most Active Enforcer? FTC or OCR?

Robert Gellman discusses recent FTC enforcement activities, writing, “I want to put FTC privacy activities into a perspective by comparing the FTC with the Office for Civil Rights (OCR), Department of Health and Human Services.” Gellman cites statistics, writing the FTC reported 153 cases from 1997 through February of this year, while the “OCR investigated 19,726 complaints that revealed a violation during the 10-year period ending in April 2013.” Gellman opines, “It seems to me that it is difficult to look at the numbers and still think that the FTC’s record justifies grand claims about the role of the FTC as a general enforcer of privacy standards in the commercial sector.” [Concurring Opinions]

US – Opinion: Should Smith v. Maryland Be Revisited?

With more focus on the recent dragnet collection of phone metadata by the National Security Agency, NPR explores whether the legal precedent—the 1979 case, Smith v. Maryland—needs to be revisited. Smith v. Maryland is at least one case that supports the third-party doctrine—when information is shared with a third party, a person’s expectation of privacy is diminished. Stanford University Prof. Jennifer Granick said, “Nothing in Smith v. Maryland authorized mass surveillance, and the information that was collected (in that case) is a much narrower category than the information that the government’s currently getting.” Since so much data is now shared with third parties—including location information from smartphones—individuals are constantly revealing their location, which “is not information that you voluntarily disclose to anybody,” Granick added. [NPR]

Privacy Enhancing Technologies (PETs)

WW – Support for Anti-Tracking Wear on the Rise

When the developers of “OFF Pocket,” a sleeve for smartphones that blocks incoming phone signals, WiFi, GPS and Internet connections, launched their kickstarter campaign looking for $35,000, they ended up raising $56,447. NPR blogger Robert Krulwich offers his views on why the campaign was so successful. At some point, news of the U.S. government’s warrantless data collection combined with a proliferation of surveillance devices will “make us wonder… ‘Who’s watching me?’” he writes, adding, “once we start wondering, it’s only natural to think about protecting ourselves—and that’s the change, I suspect, that has just begun.” After its kickstarter success, OFF Pocket may go commercial, but concerns about use by terrorists have caused designers of other surveillance-blocking attire to hold back their technologies. [Source] See also: [Female football fans crying foul over ban on purses at all NFL stadiums]

WW – Companies Enhancing Ways to Go Incognito

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. [The Wall Street Journal]


US – FDA Publishes Security Guidance for Wireless Medical Devices

The US Food and Drug Administration (FDA) has published radio frequency guidance for wireless medical devices. The guidance includes information about authentication and encryption to prevent hackers from gaining control of the devices. [Health IT Security] []

WW – RFID Identifies Drunk Individuals Before They Drive

A radio frequency identification system tested for two weeks in April 2013 at Singapore night club Zouk may have prevented alcohol-related traffic accidents, by warning parking attendants not to hand over car keys to inebriated patrons. The solution, known as the Pee Analyser, was developed by DDB Group Singapore, an advertising and marketing agency, at Zouk’s request. The technology was designed to make it easy to ascertain an inebriated individual’s blood-alcohol level before he begins driving. The trial’s focus was only on men, the company reports, since they account for 90% of drunk-driving arrests in Singapore. At Zouk Singapore, two urinals were equipped with devices that measure the blood-alcohol content of an individual’s urine. A ThingMagic Astra ultrahigh-frequency (UHF) RFID reader was installed near the urinal. During the pilot, as a male patron arrived at the club, he was provided with a valet ticket containing an embedded passive UHF RFID transponder. As that customer used the urinal throughout the evening, the sensors in the toilet determined the amount of alcohol in his urine. If that number exceeded the legal limit, the sensor transmitted a prompt via a wired connection to a computer, also wired to the ThingMagic reader—which, in turn, wrote that information to the patron’s ticket. The sensor then instantly reset, thereby allowing consecutive readings. For those possibly unfit to drive, the system displayed an alert on a video monitor above the urinal, stating: “You may have had one too many to drive. Call a cab, or use our drive home service.” An additional interrogator was mounted at the parking area in front of the nightclub. This device read every male patron’s card, and a screen displayed any warnings of high blood-alcohol levels, enabling the valet staff to determine whether or not to turn over each individual’s car keys. [Source]

NZ – Bar’s Toilet Cameras Spark Outrage

A Christchurch bar has sparked outrage after it installed cameras in its toilets in a bid to catch vandals and increase security. Popular music venue Dux Live says it was forced to introduce the in-toilet security system after a rising vandalism problem last year. The cameras have been approved by police and are even admissible as evidence in criminal courts, bar management says. This week, the Lincoln Rd bar posted footage from the cameras on its Facebook page to try to catch some people they allege to have done damage in the toilets. General manager Ross Herrick says he wants to “name and shame” bar-goers who were trying to steal framed pictures of famous musicians from the toilet walls. He denies it’s a breach of privacy, saying: “If you’re not doing anything wrong, you’ve got nothing to worry about.” Sensitive areas of the footage is blacked out, while the footage is only reviewed if there has been an issue, Mr Herrick says. “Only the guilty need be worried and only the perverted mind would think it possible that the camera’s were to be used in an indecent way,” he said. [Source] SEE ALSO: [Paris suburb to fight dog droppings with CCTV cameras]


US – Cybersecurity Policy Developments Roundup

In February, President Obama signed an Executive Order that put into motion a number of initiatives aimed at improving the cybersecurity posture of the “critical infrastructure” of the United States. Among the Order’s most significant provisions is Section 7, which directs the Commerce Department via its National Institute of Standards and Technology (NIST) to develop a voluntary Cybersecurity Framework for reducing cyber risks to critical infrastructure. The Framework must be technology neutral and include “standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risk.”

NIST is already well on its way to developing the Framework, which is expected to be widely influential. On July 1, NIST published a draft outline of the Framework, and NIST aims to publish a Draft Preliminary Cybersecurity Framework for stakeholder review and input in late August. In September, NIST will hold its fourth and final Framework workshop, which will focus on the August draft and other topics to be announced. NIST expects to publish the Preliminary Framework for formal public comment on October 10. Under the Executive Order, the Final Framework must be published by February 2014.

On July 30, the Senate Committee on Commerce, Science and Transportation unanimously approved the Cybersecurity Act of 2013, which would codify NIST’s role in developing the Cybersecurity Framework. The bill’s directives to NIST largely track the language contained in the Executive Order, and the bill further emphasizes that NIST should “coordinate closely and continuously” with the private sector in developing the Framework.

The Cybersecurity Act of 2013 has bipartisan support, being written by Senators Rockefeller (D-WV) and Thune (R-SD). And it has received support from business associations. The U.S. Chamber of Commerce, which has opposed cybersecurity legislation establishing regulatory-based cybersecurity standards (including the Cybersecurity Act of 2012, also introduced by Sen. Rockefeller), has endorsed the Commerce Committee’s bill. The Chamber wrote that the “bill takes smart and practical steps” in authorizing NIST to collaborate with industry in developing the Framework. “[P]ublic-private collaboration is essential to successfully countering highly adaptive cybersecurity threats,” noted the Chamber, and the Chamber welcomed the bill’s narrowly tailored industry focus. The Software & Information Industry Association has also endorsed the legislation.

The bill does not include measures relating to information-sharing programs, which have been generally viewed by industry and key policy makers as important elements of cybersecurity legislation. Recent revelations regarding the National Security Agency’s data-gathering operations will make it more challenging to draft acceptable privacy and civil liberties protections into such information-sharing legislation. Nor does the bill include measures relating to new Securities and Exchange Commission disclosure requirements, despite significant attention to these topics by Sen. Rockefeller. In response to Sen. Rockefeller’s request earlier this year, however, SEC Chair Mary Jo White noted that her staff is conducting an internal review of whether additional or new cybersecurity disclosure guidance is needed.

Meanwhile, the White House is working on ways to incentivize industry to adopt the Framework. On August 6, the White House released “Incentives to Support Adoption of the Cybersecurity Framework,” which summarizes eight incentive areas identified by the Departments of Homeland Security, Commerce and Treasury:

  • Cybersecurity Insurance: Collaborate with the insurance industry to “build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”
  • Grants: Adoption of the Framework should be a condition or weighted criterion for receiving federal critical infrastructure grants.
  • Process Preference: Prioritize delivering technical assistance to operators of critical infrastructure based in part on whether those operators have adopted the Framework. Although, adoption of the Framework would not factor in to the prioritization of assistance delivered in incident response situations.
  • Liability Limitation: Agencies will consider whether reduced tort liability, limited indemnity, higher burdens of proof or the creation of a federal legal privilege preempting state disclosure requirements will encourage industry to adopt the Framework.
  • Streamline Regulations: Agencies will work to streamline compliance obligations by, among other things, eliminating overlaps between the Framework and existing laws and regulations and allowing for equivalent adoption of the Framework across regulatory structures.
  • Public Recognition: Consider whether giving the option to those who adopt the Framework to receive public recognition would incentivize participation.
  • Rate Recovery for Price Regulated Industries: Consider whether the regulatory agencies that set utility rates should allow utilities to recover cybersecurity investments related to Framework adoption.
  • Cybersecurity Research: Agencies recommend identifying where new solutions are needed to implement the Framework and supporting research and development to fill those gaps.

Because the Cybersecurity Act of 2013 codifies what the White House and agencies are already working to implement and because the bill has bipartisan support and the endorsement of business groups, the legislation has a reasonable chance of becoming law. With the draft Framework coming in a little more than a month, now is a good time for organizations of all types to consider the implications of these new cybersecurity standards. [Source]

US – NIST Releases Cybersecurity Draft Framework

The US National Institute of Standards and Technology has released a preliminary cybersecurity draft framework outlining standards and guidelines to support President Obama’s “Improving Critical Infrastructure Cybersecurity” executive order issued in February of this year. The NIST document states “The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk, in a manner similar to financial, safety, and operational risk.” A spokesperson for NIST said the document is a discussion draft ahead of NIST’s upcoming meeting in September where officials will meet with industry to discuss cybersecurity and help shape the forthcoming framework. [FCW] [Federal Times] [PCWorld] []

US – Documents Reveal U.S. Launched 231 Offensive Cyber Operations in 2011

Classified budget documents released by Edward Snowden to the Washington Post reveal that the U.S. government launched 231 offensive cyber operations in 2011. The documents provide details of a budget aimed at breaking into foreign networks so that they can be put under the control of the U.S. The top countries targeted are China, Russia, Iran and North Korea. The documents outline that the NSA develops most of its software, but that it has devoted US$25.2 million for the “additional covert purchases of software vulnerabilities” from private research companies. According to an emailed statement from the NSA to the Washington Post “The Department of Defense does engage” in computer network exploitation but “The department does ***not*** engage in economic espionage in any domain, including cyber.” [Washington Post] [Atlantic Council] [Net-Security] [WIRED]

WW – Survey Confirms Woeful State of Application Security

In its “Current State of Application Security Report” the Ponemon Institute confirms most organizations surveyed have very lax application security. The survey reveals that 90% of all security vulnerabilities are at that application layer yet only 20% of IT security spending is at this level. The bulk of the security budget, the remaining 80%, focuses on networks and endpoint systems. The survey also reveals a serious disconnect between what senior management believes to be in place in relation to application security and what technical staff say is actually in place. Of the senior executives interviewed for the report, 71% believed that application security training is available and up to date. When asked the same question only 20% of technical staff agreed. Speaking about the results Larry Ponemon, founder of the Ponemon Institute, said “Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications”. [InfoSecurity] [Net-Security]

US – FBI and DHS Concerned About Android Vulnerabilities

According to an unclassified US government document, the FBI and the Department of Homeland Security (DHS) are concerned about security flaws in the Android operating system. Specifically, the document outlines concerns about threats faced by law enforcement officers and officials who are using devices running older versions of the operating system. The document says, “Android is the world’s most widely used mobile operating system and continues to be a primary target for malware attacks due to its open source architecture.” It also offers mitigation advice for certain types of threats. [CNET] [PublicIntelligence]

US – How Did Snowden Access All That Data?

The US government is having difficulty figuring out exactly what data Edward Snowden took while working as a contractor at the NSA because Snowden was careful to hide his digital footprints by deleting or bypassing electronic logs. The incident illustrates problems inherent in the structure of the data systems if they were so easily defeated. It also appears to refute assurances from the government that NSA surveillance programs are not subject to abuse because they are so tightly protected. [NBC] [ZDNet]

Smart Cards

US – Retailers Tops Concerns are Compliance and Security Vulnerabilities

A report assessing computer security for retailers and retail processing systems has identified compliance with PCI DSS is a major concern. Many of those surveyed stated the amount and variety of store systems they employ makes it increasingly difficult to manage vulnerabilities across all those platforms. While many of those surveyed showed a clear understanding of PCI compliance, they highlighted the challenge is ensuring all these systems comply with PCI. On average only 22% of those surveyed said they trusted the manufacturers of these systems to provide security. [Yahoo] [Net-Security]


US – Skepticism Over NSA Review Board; Massive “Black” Budget Revealed

Opinion is streaming in surrounding U.S. President Barack Obama’s creation of an independent board to investigate the NSA’s surveillance operations, and much of it is highly critical. Focus is generally on Obama’s promise that the experts on the panel would be “outsiders” and commenters’ opinion that the members of the panel are anything but—save Peter Swire. Also, The Washington Post has major revelations derived from a leaked copy of the U.S. intelligence community’s “black budget” Some revelations: The CIA’s budget is 50% larger, at $14.7 billion, than the NSA’s budget. The intelligence community was already worried about employees of contractors having too much access and had plans to reinvestigate at least 4,000 people this year with high-level security clearances. The CIA and NSA already are hacking into foreign computer networks to steal information and sabotage enemy states.• Counterterrorism plans account for one third of the entire intelligence spend. [The Privacy Advisor]

US – Leaked NSA Audit Reveals Thousands of Privacy Violations

The National Security Agency (NSA) broke privacy rules or overstepped its legal authority thousands of times each year, beginning in 2008. Most violations concerned unauthorized surveillance of U.S. citizens or foreign intelligence targets in the U.S. This roundup for The Privacy Advisor brings together thoughts from former DHS CPO Mary Ellen Callahan,, the leaked documents, government responses—including from the NSA and Sen. Dianne Feinstein (D-CA)—as well as reported comments from Reggie B. Walton, chief judge of the FISA court, who said the court is limited in its government oversight. Additionally, in a letter to the EU’s justice commissioner, the Article 29 Working Party’s head explores investigating whether EU data protection law has been violated. [The Washington Post]

US – Talks on Surveillance Transparency Break Down

In June of this year both Microsoft and Google filed lawsuits against the U.S. government to allow them to publish more details about the surveillance requests they receive from U.S. government agencies.

However, negotiations between the two companies and U.S. government representatives broke down leading to Microsoft and Google moving forward with their lawsuits. In a blog post on Microsoft’s website, Microsoft’s General Counsel Brad Smith said “We both remain concerned with the Government’s continued unwillingness to permit us to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders. We believe we have a clear right under the U.S. Constitution to share more information with the public.” [Computer Weekly] [] [TechNet]

US – School District to Monitor Students’ Social Media Posts

A California school district has hired a company to monitor and analyze students’ public social media posts. Aiming to intervene when students are in danger related to cyberbullying, substance abuse or despair, among other risks, the school will receive a daily report of student posts on sites such as Facebook, Instagram, YouTube and Twitter from company Geo Listening. The school district’s superintendent said the program means another opportunity to keep kids safe at all times, but some parents have concerns that the program is “big brother-ish.” [Los Angeles Times] [Privacy Advisor] See also: [Toronto schools won’t send ‘fat letters’ home]

US – State Board of Education Adds Student Data Privacy Provision

The Idaho State Board of Education Aug. 15 approved an addition to existing policy to further protect student identifiable data and ensure the privacy of all data is held to the highest standard, said Marilyn Whitney, spokesperson for the board. The Idaho Data Management Council, established in 2011 and overseen by the board, makes recommendations on the oversight and development of Idaho’s Statewide Longitudinal Data System (SLDS) and oversees the creation, maintenance and use of that system. The intent of the SLDS is to provide more and better information to Idaho education leaders, policymakers, students, parents and taxpayers to help inform decision making. The SLDS is an important tool for gathering, analyzing, and reporting progress toward the state’s education goals. The action added to the current policy regarding data protection by stipulating “the privacy of all student level data that is collected by the SLDS will be protected. A list of all data fields (but not the data within the fields) collected by the SLDS will be publicly available. Only student identifiable data that is required by law will be shared with the federal government,” Soltman said. [Source]

Telecom / TV

US – Telecoms Want FTC as Regulator

The biggest U.S. cable and telecommunications companies are lobbying for a relaxation of privacy rules to allow them to sell data on customers’ telephone use. The companies want to be regulated more like private companies such as Google and Facebook rather than public utilities, arguing the regulatory landscape hasn’t kept pace with technological advances. The change, which would require new legislation, would transfer oversight of the companies from the Federal Communications Commission to the FTC. FTC Privacy and Identity Protection Associate Director Maneesha Mithal supports the shift, saying current law seems “gerrymandered to have a carve-out on mobile.” Not everyone agrees. [Financial Times]

US – Gov’t Wants Court to OK Warrantless Cellphone Searches

The Obama administration has asked the Supreme Court to rule that police are free to search the contents of an arrested individual’s cellphone without a warrant. A First Circuit Court kept intact a ruling that searches are unconstitutional, but the administration wants the decision overturned, arguing that “police have long had the authority, without a warrant, to search items that are found on a person whom they arrest” and that creating exceptions on an “item-by-item” basis would complicate police enforcement. [SCOTUSblog]

US Government Programs

US – NSA Gathered E-mails Prior to FISA Court-Ordered Revision

A newly declassified Foreign Intelligence Surveillance Court (FISC) opinion from 2011. The 85-page opinion , released by U.S. intelligence officials, states that the NSA estimated the agency had collected as many as 56,000 “wholly domestic” communications per year. In the opinion, FISC Chief Judge John D. Bates wrote, “For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court has been led to believe,” adding in a footnote, “The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.” [The Washington Post]

US – NSA Paid Millions for Tech Companies’ Compliance with PRISM

Although major US technology companies have denied their knowing participation in the NSA’s surveillance program known as PRISM, recently disclosed documents show that the NSA footed the bill for the companies’ compliance to the tune of millions of dollars. [ZDNet]

US – NSA Allegedly Spied on UN offices and EU Embassies

The latest revelations from Edward Snowden, which were published in the German magazine Der Spiegel, claim the NSA spied on the offices of the UN and also EU embassies. The article claims the NSA not only breached the security of the EU embassies in Washington and New York but also the VPN between them. The article also outlines that while in the networks of the EU embassies, the NSA detected attacks allegedly originating from China and were able to hack back into the Chinese systems. The revelations have caused further outrage amongst EU countries, especially in light of the recent trade negotiations between the US and the EU. [Spiegel] [InfoSecurity]

US – PCLOB to U.S. Intelligence: Update Data-Gathering Guidelines Now

News that NSA analysts knowingly violated surveillance authority over the past decade, and were in fact disciplined for it, is just the latest information drawing attention to U.S. intelligence data-gathering activities. That scrutiny now looks to be leading to active changes. In its first major missive since its resurrection earlier this year, the Privacy and Civil Liberties Oversight Board has sent a letter to U.S. Attorney General Eric Holder and Director of National Intelligence James Clapper telling them the board believes that “key policies and procedures addressing privacy and civil liberties should be kept up to date to take into account new developments including technological advancements.” We roundup this news, a new agreement Germany would like to iron out with the Obama Administration and why the NSA might be a topic at enormous music and tech festival SXSW. [Privacy Advisor]

US – Drug Agents Grab More Data than NSA; ‘Profound Privacy Concerns’

When it comes to subpoenaing telephone records, U.S. drug agents may take the trophy from the National

New information revealed by The New York Times on a counterdrug program called The Hemisphere Project shows the federal government has been paying the telecommunications company, AT&T, to task workers on missions for the Drug Enforcement Agency and for detectives who work at local law enforcement levels. The phone workers’ job: to give law enforcement telephone records and related data that dates back to 1987. The NSA, meanwhile, only stores telephone data for five years. And that data is confined to the telephone numbers, the time of call and the duration of call. The Hemisphere Project sweeps in every call that travels through an AT&T switch point — not just every call placed by an AT&T customer. The program falls under the purview of the White House Office of National Drug Control Policy, The Times said. The Obama administration said not to worry — that the telephone data is stored only by AT&T, not the government, Fox News said. The government can only access the information via “administrative subpoenas” from the DEA, the White House said. American Civil Liberties Union, meanwhile, is outraged. The Hemisphere Project raises “profound privacy concerns,” said Jameel Jaffer, deputy director of the ACLU. “I’d speculate that one reason for the secrecy of the program is that it would be very hard to justify it to the public or the courts,” he said, Fox News reported. [Source]

US – DOC’s Cameron Kerry Tries to Reassure Europe Over NSA Spying

As he prepares to leave the Department of Commerce, General Counsel Cameron Kerry gave a speech Wednesday at the German Marshall Fund of the United States aimed to reassure European officials that the NSA is not violating their privacy rights. Kerry said it would be a sad outcome if the NSA disclosures led to “Internet policy-making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located.” [The Hill]

US – Facebook Releases First Transparency Report

In its first ever transparency report, Facebook revealed that for the first six months of 2013 it received 25,000 requests from governments about Facebook users. Up to half of the requests came from US government agencies. Colin Stretch, Facebook’s general counsel, revealed that many of the requests related to criminal cases. The information requested in most cases related to basic subscriber information, such as name and length of membership. In other cases the requests looked for additional information such as IP addresses or account content. Facebook also revealed that it did not respond to every request saying that it responded to 79% of the requests from the US government. [ComputerWorld] [InfoSecurity] [Facebook]

US Legislation

US – Gov. Signs Bill to Regulate Law Enforcement Drone Use

Illinois Gov. Pat Quinn has signed a bill that will regulate law enforcement’s use of drones. State Sen. Daniel Biss (D-Ninth District) sponsored the bill and said it helps to maintain a reasonable expectation of privacy, the report states. The American Civil Liberties Union supports the bill, calling it reasonable. The bill includes exceptions for when the Department of Homeland Security decides surveillance is necessary to prevent a terrorist attack. [The Republic]

US – States Taking Lead in E-mail, Location Privacy

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” [The Washington Post]

US – Illinois Gov. Signs Student HIV Privacy Law

Illinois Governor Pat Quinn signed into law a bill to protect the privacy of students with HIV. The law, introduced by state Rep. La Shawn Ford (D-Chicago) means that the state Department of Public Health and local health departments are no longer required to notify school principals of a student’s positive HIV status. Ford has been trying to get this bill passed since 2008, noting that it is “not only important for the privacy and confidentiality for students, but is also important for public health.” [Austin Weekly News]

US – New Jersey 12th State to Pass Workplace Social Media Law

New Jersey Gov. Chris Christie has signed A2878, a law restricting employer access to the social media accounts of employees and perspective employees, making the state the 12th to pass such a law. The terms provide exceptions for certain law enforcement-related agencies and allow for employers to implement and enforce policies on company-issued devices accounts or services; conduct investigations, and comply with requirements of the law. Employers who violate the law may face civil penalties of as much as $1,000 for the first violation and $2,500 for each subsequent violation. [Mondaq]

US – Advocacy Groups Oppose $8.5M Settlement

Advocacy groups including the Electronic Privacy Information Center, Consumer Watchdog, Center for Digital Democracy, Patient Privacy Rights and Privacy Rights Clearinghouse are opposing Google’s settlement in a privacy lawsuit, writing to U.S. District Court Judge Edward Davila that the donation of $8.5 million to nonprofit groups and schools should be rejected. While the groups cite several reasons, “the most significant is that the deal allows Google to continue engaging in the same activity that led to the lawsuit—leaking the names of people who use its search engine,” the report states, noting, “The only difference for Google is that the deal requires it to revise a section of its privacy policy.” [Media Post Blogs]

US – One-Hour Breach Reporting Provision Scrapped

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1. [GovInfoSecurity]

US – FTC Reaches First “Internet of Things” Settlement

TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the FTC over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT. [FTC press release]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [Adweek]

US – California Suspends RFID Legislation

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.” [Wired]

US – State Bill Would Track Drivers’ Mileage

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track driver’s mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing. [Stateline].

Workplace Privacy

CA – Privacy Watchdog Says Companies Allowed to Track Employees with GPS

Do you like the idea of your employer being able to track your every movement via GPS? Probably not. But an adjudicator with the Office of the Information and Privacy Commissioner says that, under certain circumstances, it’s reasonable for a company to monitor employees using GPS technology. Members of the International Union of Elevator Constructors complained that ThyssenKrupp Elevator Ltd. and Kone Inc. were tracking employees via GPS, which they argued was an illegal intrusion into their personal privacy. But BC’s privacy watchdog says it’s reasonable for companies to use GPS technology to ensure workers are where they say they are, to manage staff, and/or to confirm billing. ThyssenKrupp attaches GPS devices to work vehicles, while Kone goes so far as issuing employees GPS-enabled smartphones. The only concern the Office of the Information and Privacy Commissioner was that ThyssenKrupp did not provide adequate notice to workers regarding GPS tracking. The company has been ordered to stop using GPS on employees until it informs its staff properly. [Source] See also: [How Surveillance Changes Behavior: A Restaurant Workers Case Study]

US – Web Privacy Bill Moving Forward In Wisconsin

A proposal that would make it illegal for Wisconsin employers to ask workers or job applicants to turn over their passwords to social media accounts such as Facebook is moving forward in the Legislature. A Senate committee has scheduled a recent hearing on the bill. That comes after an Assembly committee heard the measure in May. The bill has broad bipartisan support and it could be taken up by the full Legislature as early as next month. The movement to pass such laws is gaining steam across the country as employers have asked for employees’ user names and passwords to personal accounts. Some employers argue they need that access to protect proprietary information or trade secrets in order to comply with federal financial regulations. But others see it as a blatant invasion of employee privacy. “It’s not something that’s happened a lot,” said Sen. Glenn Grothman, sponsor of the bill and chairman of the Senate Judiciary Committee that is holding Tuesday’s hearing. He said the measure was designed to prevent “a busybody boss or busybody college administrator, or landlord for that matter, from looking at your private account.” [Source]

AU – AAMI Customers Use Privacy Breach in Their Favour

The blind carbon copy (BCC) button on emails exists for a very good reason. Unfortunately one of AAMI’s managers failed to use it the day she sent a message to 110 private addresses. Even worse than releasing private emails, the message went to all the people with ongoing disputes against AAMI with the Financial Ombudsman Service. Now the email has accidentally united a group of people, already very unhappy with one of Australia’s largest insurers, and who are now exploring the possibility of launching a class action. AAMI spokesman Reuben Aitchison said the email from a customer relations manager was a “simple but unfortunate human error involving a small number of customers. “Email addresses were inadvertently placed in the ‘To’ field of the email, rather than in the ‘BCC’ field. As soon as we realised our error, we contacted each affected customer to apologise, explain what happened and assure them that no other personal information was revealed.” Mr Aitchison said AAMI, owned by Suncorp, has provided further training to the staff member and used it as a reminder for the rest of the company about email protocols. [Source]




01-15 August 2013


WW – PayPal Tests Mobile Payments Using Your Face for Verification

PayPal is rolling out a new trial for British consumers to see if they really can leave their wallets at home. Recently kicking off in London borough Richmond upon Thames, the test includes 12 different merchants set up to accept PayPal payments. Using the PayPal app for iOS, Android, or Windows Phone, potential customers can see nearby participating merchants highlighted on their mobile phones. They can then check in by clicking on the merchant’s name and sliding a pin down the screen. When purchasing an item, the customer’s name and photo pop up on the store’s payment system. An employee clicks on the photo to initiate the payment. The customer then gets a notice and receipt for the transaction on their phone.  Though only a dozen retailers are part of the test, PayPal expects that more than 2,000 merchants will be able to accept the PayPal payments by the end of 2013, Sky News added. And PayPal has grander ambitions beyond this year. [Source]

WW – Intel Drops TV Facial Recognition After Privacy Fears

Intel has confirmed that its upcoming TV service will not include a camera looking at viewers, but it will still record a massive amount of content and store it in the cloud. Intel officials plan to begin selling a set-top box and services later this year that will let users receive live and recorded programming over the Internet, the latest move by a growing number of tech vendors that are looking for ways of leveraging the Web to improve people’s TV viewing experience. The idea was that the camera, through software, could recognise the faces of the viewers, and personalise the programming and ads based on who was watching. The idea of the camera looking into the room and seeing and recording who was watching what content sparked some controversy from people who worried about the data being collected and an invasion of privacy. Huggers said that the camera and its facial-recognition software was postponed for now, not only over privacy concerns but also because the technology did not work well in the low lighting that is found in many TV rooms. [Full story]


CA – Global Sweep Highlights “Significant” Shortcomings

The Office of the Privacy Commissioner of Canada (OPC) has released the findings of the first-ever Global Privacy Enforcement Network Internet Privacy Sweep, noting “shortcomings in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples that demonstrated it is possible to create transparent privacy policies, unfortunately, we also found some sites with no policies or that offered only brief, over-generalized statements about privacy,” said Canadian Privacy Commissioner Jennifer Stoddart, noting one “particularly disappointing example…was a paternity testing website with a privacy statement so skimpy it would fit into a tweet.” [Source]

CA – N.S. Cyberbullying Legislation Allows Victims to Sue

Stricter cyberbullying legislation is now in place in Nova Scotia, giving victims the ability to sue alleged cyberbullies. The protections for victims of cyberbullying are part of the new Cyber-Safety Act, implemented by Justice Minister Ross Landry this week, aimed at protecting victims and holding bullies responsible. If alleged cyberbullies are minors, the new legislation allows victims to hold the bully’s parents responsible. The legislation allows victims to apply for protection orders to place restrictions on, or identify, the cyberbully. [Source] See also: [UK teen’s suicide prompts calls to shut down website that allows anonymous internet bullying]

CA – Via Rail Considers New Security Checks for Passengers

Taking a train in Canada could soon become more like boarding an airplane as Via Rail considers greater scrutiny of checked baggage, more inspections by sniffer dogs and security checks on passengers.  The measures, outlined in documents released under the Access to Information Act, are being considered in direct response to the alleged terrorist plot to derail a train that led to arrests in April, said a Via Rail spokesman. At a House of Commons committee in May, a senior Via Rail official said the train service was considering whether to ask all of its travellers for identification before they board, which does not take place routinely. The spokesman says the idea, including regular checks of passenger names against security databases, is still being studied, but could be a “fairly expensive proposition” given that Via serves 450 communities spanning 12,500 kilometres of track. Via Rail currently does random searches and X-rays of baggage, uses sniffer dogs at stations and observes passengers for telltale signs of suspicious behaviour, Gagnon said. “Our employees are trained to detect body language.” Via Rail briefing notes prepared in May, released this month to The Canadian Press under the access law, indicate the passenger train service is looking at:

  • ensuring all checked baggage can be linked to an on-board passenger, a standard practice for airlines;
  • more frequent patrols by sniffer dogs to scrutinize baggage and conduct walkabouts in Montreal, Toronto, Quebec City, Ottawa and Vancouver;
  • additional security measures for the Via-Amtrak train during the Canadian leg of its journey, including mandatory identification checks on all passengers.

In addition, Via Rail has already implemented two ideas from the working group — beefed-up vigilance training for staff and stricter certification standards for members of the train service’s safety, security and risk management division. There is no timeline for making additional improvements, though a status report is to be delivered at a Via Rail board meeting at the end of August in Saskatoon, he said.[Source]


US – Study: Consumer Reaction to NSA Could Hurt Ad Targeting

A study reveals that consumer concerns about online privacy have jumped from 48% to 57% since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online. [AdWeek]

US – Chronic Retail ‘Returners’ May Be Tracked

The Huffington Post reports on retailers’ tracking of customers’ merchandise returns. Citing fraud and security risks, companies such as Best Buy, JC Penney, Victoria’s Secret and Nike say they must create profiles on individual customers’ returns at their stores. The stores use third parties to create “return profiles” and report back to the retailer, but consumer advocates say the practice violates privacy because of a lack of transparent disclosures. The practice led to a lawsuit against Best Buy recently, though the case was eventually dismissed. [Source]

EU – U.S. & Germany to Enter No-Spying Agreement, Says German Government

The U.S. has verbally committed to enter into a no-spying agreement with Germany in the wake of disclosures about the U.S. National Security Agency’s secret surveillance programs. The verbal commitment was given in talks with the German Federal Intelligence Service (Bundesnachrichtendienst, BND), the sole foreign intelligence service of Germany, the German government said in a news release. This means that there must be no governmental or industrial espionage between the two countries, it said. More common standards for the cooperation of E.U. intelligence services are in progress, the German government added. No further details about the agreement were given. The German Federal Ministry of the Interior reached on Monday could not immediately respond to a request for comment. The no-spying agreement talks were announced as part of a progress report on an eight-point program proposed by German Chancellor Angela Merkel in July with measures to better protect the privacy of German citizens. The plan was drafted “due to the current discussions about the work of the intelligence services,” the German government said. [Source] See also [Germany demands sanctions for US firms over privacy]


CA – BC Liberals Did Not Violate Privacy Laws in Ethnic Scandal: Report

The provincial government did not give private personal information to the B.C. Liberal party as part of a controversial outreach plan to woo so-called ethnic voters, B.C.’s information and privacy watchdog said in a report released this week. The findings come after an internal review into the ethnic outreach scandal conducted before the election by Premier Christy Clark’s deputy minister, John Dyble. That review found serious misconduct by public officials, the misuse of government funds and the deliberate use of private emails in a bid to win ethnic votes. Denham said she launched her own parallel investigation to “determine whether there was sharing of personal information between the government and the B.C. Liberal Party, and if there was, whether this sharing was authorized under provincial privacy law.” In her report Thursday, Denham found no contraventions of privacy laws, but did agree there were “significant issues with the handling of personal information that need to be addressed.” [Source]

CA – Canada Studies Britain’s ‘Nudge Unit’ for Ways to Give the Public a Push

It’s known as the “nudge unit,” because its mission is to “nudge” citizens into acting the way the government wishes they would. Pioneered in Britain, it is officially tagged with the 1984ish name Behavioural Insights Team – about a dozen policy wonks, mostly economists, who employ psychological research to subtly persuade people to pay their taxes on time, get off unemployment or insulate their attic. The goal: To make consumers act in their own best interests – and save the government loads of money. Now Canada is looking into this growing field of behavioural economics. Finance Canada documents obtained by The Globe and Mail through Access to Information show Michael Horgan, the deputy minister of Finance Canada, was recently briefed on the activities of the three-year-old British team, which has attracted interest from governments around the world. The Finance Department acknowledges there are potential ethical concerns when governments mix economics and psychology to nudge citizens into making specific choices, but concludes those concerns can be addressed with transparent policies. And there is a potential payoff: With an annual budget of just $1.6-million a year, officials say, the British unit has already saved its government $480-million. One project, which sent court fines by text message rather than by mail, dramatically reduced bailiff interventions and saved nearly $50-million. [Source]


EU – German Providers Tout Secure eMail Services

Just days after two US-based secure email providers shuttered operations in the face of government demands for data, German email providers have begun offering their own secure email services, in which SSL will be on by default. The providers, Deutsche Telekom’s T-Online and United Internet’s GMX and services, say they will send mail within the country through domestic servers only. However, the companies’ plans provide security only for messages in transit; they do not provide secure data storage. Despite Germany’s strong data protection laws, there are exceptions for security agency demands, and SSL can be intercepted and decrypted fairly easily. The technology media say the secure email tagline is nothing more than marketing. [ZDNet] [ArsTechnica] [NBCNews]

US – Secure eMail Provider Lavabit Shuts Down

Lavabit, the secure email server that Edward Snowden had been using, has shut down. The company’s owner, Ladar Levison, wrote that he had to decide between “becom[ing] complicit in crimes against the American people or walk[ing] away from nearly ten years of hard work.” Levison wrote that although he would like to be able to tell users what prompted his decision, he is not at liberty to disclose that information, leading to speculation that the company received a National Security Letter or a search or eavesdropping warrant. Another encrypted communications service, Silent Circle, has shut down its Silent Mail service, noting, “We see the writing [on] the wall, and we have decided that it is best for us to shut down Silent Mail now.” [WIRED] [The Register] [ArsTechnica]

NZ – Mega to run ‘cutting-edge’ encrypted email

Kim Dotcom’s is working on a highly-secure email service to run on a non-US-based server. It comes as the US squeezes email providers that offer encryption and Mega’s CEO calls Lavabit’s and Silent Circle’s shutdown an “honorable act of Privacy Seppuku.” Mega has been doing an “exciting” but “very hard” and time-consuming job of developing both highly-secure and functional email service. “The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side. If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side,” he explained, adding that even Silent Circle did not try to achieve such a feat. According to the company’s founder Dotcom, Mega doesn’t hold decryption keys to customer accounts and “never will”, thus making it impossible for it to read the emails. This also means that Mega by design cannot be forced to rat on its users by intelligence agencies. However, Dotcom earlier told TorrentFreak that a new spy legislation being pushed by the US and its Five Eyes alliance partners – UK, Canada, Australia and New Zealand – may force Mega to relocate its servers to some country exempt from such jurisdictions, such as Iceland. [Source]

NZ – Email Privacy Breaches Inspire NZ Tech Tool

A Wellington tech company has responded to calls from the public sector by launching a new tool designed to prevent email privacy breaches. Several government agencies have already signed up to use the product, including the Financial Markets Authority (FMA) and Ministry of Primary Industries (MPI). Software developer Liverton Technology Group has developed a system called MailAdviser which works at the front end of Microsoft Outlook. Justin De Lille, chief executive of Liverton, said the tool prompts users to double-check messages and attachments when sending to an unsecured or public email address. [Source]

Electronic Records

WW – Exploring Computer-Manipulation of the Mind

Latest research into computer-brain interfaces and the possibilities of sending brain waves over the Internet. Potential uses for brain-computer interfaces include human interaction with computers and other mobile devices simply by thinking. In 2011, scientists published research on Decoded Neurofeedback , a process by which brain activity can be altered. Additionally, Duke University neuroscientist Miguel A. Nicolelis has successfully connected the brain activity of two rats over the Internet and conducted an experiment called a “brain net,” which allowed rats to share information over the web. Nicolelis said he believes humans will eventually be able to communicate over the Internet via brain waves. “I think this is the real frontier of human communication in the future,” he said. [The New York Times]


WW – Tor Network Breached

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.” [Naked Security]

WW – Researcher’s Spy Boxes Pick Up Troves of Unencrypted Data

Security researcher Brendan O’Conner recently wondered how easy it would be to monitor—as a private citizen—the movement of strangers on the street. So he built 10 contraptions made of sensors, a tiny computer and Wi-Fi adaptors and proceeded to spy on himself. The data his contraptions collected sent signals to a command-and-control system and included the unique identifiers to his phone and iPad—in unencrypted fashion. “Actually it’s not hard,” O’Connor said. “It’s terrifyingly easy…It could be used for anything, depending on how creepy you want to be.” [The New York Times]

EU Developments

EU – EU Looks to Speed Up Privacy Reforms

The European Commission wants to quicken the pace of passing the proposed data protection regulation, which is currently held up in the European Parliament’s civil liberties committee. Commissioner for Justice Viviane Reding, who in July appealed to member states to place the bill on an EU summit in the fall, said, “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file.” Hunton & Williams’ Bridget Treacy noted, “Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation and some detailed exploration of the key elements of such an approach under the Irish presidency.” EU lawmakers have said they want the reforms passed by May 2014. [EUObserver]

EU – Working Party Weighs In on Purpose Limitation and Big Data

The concept of purpose limitation is a cornerstone of the protection of personal data. It is an essential first step in applying data protection laws since it constitutes a prerequisite for other data quality requirements, contributes to transparency and legal certainty and sets limits on how controllers are able to use personal data. In this exclusive for The Privacy Advisor, Stefano Tagliabue, discusses the Article 29 Working Party’s opinion on purpose limitation and Big Data. [Source]

EU – U.S. Surveillance Spurs EU Efforts to Tighten Data Protection Rules

The EU has reacted to the U.S. National Security Agency surveillance program disclosures, including the determination by some, to enact the proposed data protection regulation by May of next year. German MEP Jan-Philip Albrecht said, “The importance has been made clear now with all these revelations, we need cross-border rules, European rules, to safeguard fundamental rights,” adding, “It makes the world more vivid.” Shearman & Sterling associate Hartmut Häselbarth said the May deadline is ambitious, but in the long run, American businesses with a presence in Europe “will most likely have problems in (the) future.” [The Wall Street Journal]

EU – Ukraine Amends Personal Data Protection Law

On July 3, the Ukrainian Parlaiment amended its privacy law effective January 1, 2014. The amendment will transfer the functions of the State Service of Ukraine on Personal Data Protection to the Ombudsmen, whom data controllers will be required to notify of the processing of “high risk” personal data. There have also been changes to notification periods and the definition of “consent” to data processing has been removed altogether. According to Lexology, “It remains unclear whether previously registered databases will need to be notified to the Ombudsman.” [Lexology]

UK – ICO Publishes PIA Code of Practice

The UK Information Commissioner’s Office (ICO) has published a consultation on a new privacy impact assessment (PIA) code of practice and released a study on PIA and risk management. The ICO first announced the study, conducted by Trilateral Research & Consulting, was underway back in January. The consultation states the new code of practice aims to “help organizations conduct assessments of new projects that involve the use of personal information. The code explains the key principles behind a PIA and suggests how a PIA can be integrated with an organization’s project and risk management processes.” [Source]

UK – ICO Publishes Regulatory Action Policy

The UK Information Commissioner’s Office (ICO) has published a Data Protection Regulatory Action Policy, outlining what the office will consider when deciding whether to initiate regulatory action. Noting that “market factors” may influence the decision, the policy points to some “initial drivers,” including issues of “general public concern,” those due to the “novel or intrusive nature of particular activities” and those stemming from complaints. When asked for clarity on “market factors,” an ICO spokesman said in markets where “consumers demand effective privacy protection…market forces will be driving businesses to deliver better privacy protection, without the need for the regulator to intervene.” [Out-Law]

EU – Italian DPA Releases Rules on Spam and Viral Marketing

The Italian Data Protection Authority (Garante) has released, earlier this month, a set of rules dealing with spam and viral marketing. The provision, named “Guidelines on Marketing Activities and Spam,” is intended to fight the abuses of marketing communications and to promote fair commercial practices towards users and consumers. [Full Story]

EU – French Supreme Court: Undeclared File Sale Is Void

The French Supreme Court’s has ruled that the sale of a file containing personal data that should have been declared with the French data protection authority, the CNIL, and was not must be cancelled. “Having noticed that this rule had not been complied with, the court found such a file to be illegal and unable to be subject to a convention under the French Civil Code,” the report states, noting the sale had to be considered void. “This ruling is particularly important in that it is the first time that the court has applied such reasoning,” the report states, noting it “reminds us of the importance of complying with the obligations attached to the handling of personal data…” [Lexology]

Facts & Stats

UK – ICO Publishes Breach Trends Statistics; Gov’t Leads List

In a recent Information Commissioner’s Office (ICO) blog post, Sally-Anne Poole says statistics indicate carelessness is the cause of much of the office’s enforcement business. The ICO uses statistics to help inform its response to incidents, Poole writes. The health and local government sector leads the list for data breaches, followed by schools and solicitors. The ICO has published a spreadsheet of its civil monetary penalties for the first quarter of 2013 so the public can see such trends. [Source]

US – Data Breaches from 2005 to Present Exceed 500 Million

From 2005 to present, there have been a reported 535,267,233 data records breached in the U.S.. That’s 1.7 times the U.S. population, and the number only reflects reported breaches. “Many, or perhaps most, of the breaches that have occurred over the past decade have no reported number of records associated with them. They’re designated as ‘unknown,’” the report states. Ken Hess writes that, if each record breached represents one account, “just about everyone who lives in the U.S. is at risk of having at least one part of his or her data hijacked from multiple sources. It also means that absolutely no one’s data is safe.” [ZDNet] See also: [High-tech toilet gets hacker warning; nothing is safe]


US – Senator Concerned About CFPB Data Collection

In a press release, Sen. Mike Crapo (R-ID) has raised privacy concerns about the collection of sensitive financial data by the newly created U.S. Credit Financial Protection Bureau. The ranking member of the Senate Banking, Housing and Urban Affairs Committee, Crapo is concerned about how data is being collected, how many accounts are being monitored, how the data is being used and how many safeguards are in place to protect the data. The Government Accountability Office has agreed to investigate the collection programs. “Recently, cases of privacy abuse” have reached the headlines, Crapo said, “and we now have a federal agency that is using unchecked power to gather data on the spending habits of hundreds of millions of Americans.” The senator plans to hold a press conference on the issue on Monday, August 12. [Source]

US – The Inaccuracies of Data Broker Dossiers

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature.


CA – Alberta Privacy Commissioner Pushes For Even More Openness

Alberta needs to establish minimum standards to ensure that more government information is made freely available to the public without a fight, says the province’s information and privacy commissioner. That’s one of a series of recommendations made by Jill Clayton in her submission to the provincial government’s review of the Freedom of Information and Protection of Privacy Act (FOIP). Clayton said she wants a legislated requirement for public bodies to commit to “proactive disclosure” of information and minimize the need for formal access requests from citizens. “In my view, that should be sort of the avenue of last resort,” she said in an interview. “Public information should be available to the public.” Clayton said that Alberta has taken some positive steps lately, such as the mandatory expense disclosure policy for MLAs and senior civil servants introduced by the Redford government last fall. But she noted that a 2012 study of four provinces’ FOIP legislation by the Centre for Law and Democracy ranked Alberta’s the lowest. [Source]

CA – Disclosure changes considered for Saskatchewan MLAs

Saskatchewan’s Conflict of Interest Commissioner Ronald Barclay says discussions are underway regarding changing, for privacy reasons, some of what is publicly disclosed by MLAs. “In our legislation, we not only disclose the assets of the members and the spouses, but you also have to disclose the names of any dependent children and also the residences of where the members live,” Barclay said. In his most recent annual report, Barclay comments on requests he received from several MLAs asking whether the legislation related to those requirements should be amended for privacy reasons. “In all the other jurisdictions except ours, those are exempt. For a dependent child, you just put Child A, Child B, Child C and you wouldn’t have to list the addresses of the MLAs,” Barclay said. “I’m going to turn it over to the two caucuses and they’ll have to make a decision whether or not they want to amend the legislation.” The information would still need to be disclosed to the commissioner, but it wouldn’t become public, Barclay said. [Source] See also: [Manitoba: New rules may be needed for political parties asking personal questions: lawyer]

CA – No Privacy Concerns In Releasing Daycare Complaints

Ontario’s privacy commissioner says there are no privacy concerns that would prevent the government from releasing complaints against unlicensed daycares to the public. “My office recently spoke with the Ministry of Education and we clearly outlined that there are no privacy issues with releasing non-personal, business information regarding unlicensed daycare investigations or occurrences,” Ann Cavoukian wrote in a statement. [Source]


US – Unprecedented Pact Reached With Lacks’ Descendants

In an unprecedented move, the National Institutes of Health (NIH) announced an agreement with the descendants of Henrietta Lacks, whose cervical cancer cells were taken without permission by scientists 62 years ago, giving them control over which biomedical researchers will gain access to the full genome data derived from her cells, MSNBC reports. NIH Director Francis Collins said it is an “historical agreement” that will “protect the family’s interest and also further their commitment to biomedical research.” In a column for Nature , Martin Bobrow writes on the “growing issue in modern science: access to biomedical and health-related research data.” [Source]


WW – Google Defends Chrome’s Password Manager

A software developer was surprised to find that Google Chrome lets anyone with access to a computer see in plaintext passwords the browser has stored. Google has acknowledged this characteristic of the browser from the beginning and maintains that it is not a security flaw. Google explains that security “boundaries within the OS user account just aren’t reliable,” and the company “doesn’t want to provide users with a false sense of security” by supporting a security scheme, such as a master password, that doesn’t work. “When you grant someone access to your OS user account, they can get at everything.” [WIRED] [SCMagazine] [] [CNET] [Developer’s Blog] [Google’s Response]

WW – Google: don’t expect privacy when sending to Gmail

People sending email to any of Google’s 425 million Gmail users have no “reasonable expectation” that their communications are confidential, the internet giant has said in a court filing. Consumer Watchdog, the advocacy group that uncovered the filing, called the revelation a “stunning admission.” It comes as Google and its peers are under pressure to explain their role in the National Security Agency’s (NSA) mass surveillance of US citizens and foreign nationals. [Source]

Health / Medical

US – Obamacare Privacy Safeguards “Way Behind”; Violations “Rampant”

The Office of the Inspector General of the Department of Health and Human Services (HHS) says the Obama administration has not set up adequate safeguards to protect U.S. citizens’ privacy under the law. The office says health data exchanges under Obamacare may expose private records to hackers and criminals. The healthcare plan mandates the creation of a “data hub,” accessible by seven different federal agencies, including the Internal Revenue Service, the Social Security Administration and the Department of Homeland Security. A spokeswoman for HHS said privacy safeguards are delayed by at least two months, with the exchanges slated to begin October 1. [Forbes]

US – HIPAA-Compliance Deadline Looms

In an article for National Law Review, Elizabeth Johnson of Poyner Spruill says one of the highest priorities for HIPAA-covered entities required to meet new aspects of the recently updated HIPAA rules is to update business associate agreements. That’s because the distribution, negotiation and execution process can be time-consuming, she writes. “With the compliance deadline only two months away, covered entities must focus efforts to ensure that all updates are complete and new training concluded prior to the September 23 deadline.” [Source]

Horror Stories

US – Alumni, Donors Notified of Breached Server

The School of Forestry and Wildlife Sciences at Alabama’s Auburn University has begun notifying an undisclosed number of alumni and donors that their personal information has been breached. The incident occurred when spreadsheets containing the individuals’ names, Social Security numbers and e-mail addresses, among other data, were mistakenly uploaded to a publicly available server. Meanwhile, a Texas lawmaker is taking action to ensure greater transparency when it comes to state agencies’ cyber threats. [eSecurity Planet]

US – Provider Announces Laptop Theft

California-based Retinal Consultants Medical Group has announced the theft of an unencrypted laptop containing protected health information, reports. The laptop, part of a diagnostic imaging machine, contained patients’ names, dates of birth and genders, among other information. The provider has notified affected individuals, encouraging them to monitor bank accounts and obtain credit reports; however, according to the notification, it is not aware of any access to or misuse of the data. [HealthData Management]

US – Healthcare Breach Affects 32,000

Cogent Healthcare is notifying approximately 32,000 patients in 24 physician groups it manages “that their personal health information may have been exposed online.” The report states that M2ComSys, a company Cogent Healthcare contracted to transcribe patient care notes for some of its physician groups, stored notes that included “patients’ names, birthdates, diagnoses, summaries of treatments, medical histories, medical record numbers and physicians’ names, on a website” that suffered a security lapse. “We are generally unable to identify who accessed the notes,” Cogent Healthcare has said. Those affected are being offered a free one-year membership in an identity protection service. [eSecurity Planet]

CA – Hospital Notifies 1,300 of Breach, Nurse Fired

A nurse has been fired by Canadian-based Norfolk General Hospital for unauthorized access to more than 1,300 patient records. An investigation revealed the nurse allegedly violated the Personal Information Protection Act multiple times dating back to 2004. Compromised data included patient names, health care numbers, dates of birth, contact information, doctor names and reason for visit. The organization has notified affected patients. A Vermont-based healthcare and hospice facility has also announced a breach and notified affected patients after an employee’s laptop was stolen. Meanwhile, Boston Public Schools will redesign student information cards after a hard drive, containing PDF images of 21,054 student IDs, was lost. [Brantford Expositor]

US – Airline’s Second Significant Breach in a Month

For the second time in the past 30 days, U.S. Airways has revealed it has suffered a breach of PII. As many as 7,700 customers may have been affected by the latest breach, which customers discovered when they noticed their frequent flyer miles were missing, and compromised data includes usernames, passwords, birth dates, addresses, security question answers and the last four digits of credit cards. The last breach involved employee data. U.S. Airways said it has restored “all mileage balances as quickly as possible” and will provide free identity-theft monitoring. [Source]

Identity Issues

WW – Twitter’s Two-Factor Authentication

Twitter has made changes to the two-factor authentication system it introduced in May, which used text messaging. The new login verification system for its mobile app uses the app itself to authorize account access instead of communicating through text messaging, which can be less than trustworthy. Users who want to update to the new authentication system need only update their mobile twitter apps. Attempted logins will provide rough locations and information about the browser being used. Twitter acknowledges that two-factor authentication is a work-in-progress and says it will continue to improve the process. [ZDNet] [ArsTechnica] [WIRED] [NBC News]

US – The Inaccuracies of Data Broker Dossiers

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature. [Source]

WW – Microsoft Researchers Develop 3D Passive ID Tags

Engineers in Microsoft’s research division have developed an automatic-identification technology known as InfraStruct, using passive tags operating in the terahertz (THz) band. Instead of encoding data onto a silicon chip, as is typically the case for passive RFID tags operating in the low-frequency (LF), high-frequency (HF) or ultrahigh-frequency (UHF) radio frequency (RF) bands, the InfraStruct system involves building a unique shape or hollowed section directly into a structure, with an ID number or other data physically represented in that shape or section. The InfraStruct concept, still in the prototype stage only, includes a unique method of building a tag into a three-dimensional printed plastic object, as well as a terahertz scanner that transmits an optical-like radiation into the item that is reflected back to the scanner. Software then measures the response of the reflection received, thereby identifying the unique item based on that measurement. [Full Story]

Internet / WWW

US – Apple updates App Guidelines with Eye On Children’s Privacy

Apple has tweaked its guidelines for app developers to emphasize the latest rules regarding children’s privacy. The guidelines have been updated to reflect the latest changes to the Children’s Online Privacy Protection Act (COPPA) and Apple’s renewed focus on education with iOS 7. In the past, COPPA prevented developers from gathering the names, addresses, and phone numbers of children under 13 without parental consent. Since the start of the year, those restrictions have extended to photographs, videos, and audios as well. The specific guidelines now read as follows:

17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children’s privacy statutes, but must include some useful functionality or entertainment value regardless of the user’s age.

17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.

As part of its new emphasis on the educational market, Apple also updated its guidelines with a new section known as “Kids Apps.” Children under 13 will now be able to have their own individual iTunes accounts. But developers who design apps for kids must follow certain rules, such as including a privacy policy, excluding behaviorial advertising, and requiring parental consent before letting children “link out of the app or engage in commerce.” [Source]

WW – Facebook Posts Online Privacy, Safety Guide

Facebook has posted a new guide for survivors of domestic abuse, detailing steps to protecting safety and privacy while still being able to connect with family and friends on the social network. Facebook teamed with the National Network to End Domestic Violence to come up with the guidelines, which can be found at the Facebook Family Safety Center, Some might suggest that using a fake profile name or not even using the social network at all may be the best course of action. But in most cases, neither is true, Southworth said in an interview during a break in the group’s three-day technology safety summit in San Jose. “It’s not acceptable to tell survivors of domestic violence just to give up their technology,” she said. “What she really needs is that he not able to contact her and if he does, that he is held accountable.” A domestic abuser often tries to gain power and control by isolating the victim from friends and family, she said. “One of the things we advocate is to rekindle connections with friends and family and jobs,” she said. “Some of that can be through Facebook, some of that can be through in-person activities. We don’t think any victim needs to choose to be offline.” Although a small number of survivors might need to change their identities, she said the group is not recommending that course of action as much as before because of it also brings on unintended consequences, such as the loss of a person’s credit history or a nursing license needed to work. And when there’s a legal protective order preventing contact, repeated Facebook posts by the abuser could provide the “compelling digital evidence” needed to convince an officer or judge of a violation, she said. The “Guide for Survivors of Abuse” is generally applicable to any Facebook member to make sure they protect their online privacy and safety, even in a publicly social world. The guide also advises caution when accepting a new friend request. “Unfortunately, some abusive individuals use clever tactics to gain access to a victim’s information,” the guidelines said. “In some instances, abusive individuals maliciously create accounts impersonating a friend of the person they want to connect with.” [Source]

Law Enforcement

US – FBI Employing Hackers’ Techniques

U.S. law enforcement officials are “expanding the use of tools routinely used by computer hackers to gather information on suspects.” Law enforcement calls the practice, which includes remotely activating Android microphones to record conversations on cellphones or on laptops and hiring hackers themselves, “going dark.” The ACLU says there should be legal guidelines on how such hacking tools can be used. A spokesperson for the Justice Department said it makes decisions regarding legal authority to conduct surveillance on a case-by-case basis. [The Wall Street Journal] See also: [Yukon Mounties to star in their own reality show, raising privacy concerns] See also: [License plate scanning: The inside story of a cop who tracks our data] and also: [Predictive policing: Don’t even think about it]

US – NYPD Agrees to Purge Stop-Frisk Databank

The Bloomberg administration has agreed under a settlement announced to purge a New York City Police Department database containing personal information on individuals who were stopped by authorities, and also agreed to pay $10,000 to the lead plaintiff in a putative class action. Christopher Dunn, associate legal director of the New York Civil Liberties Union and lead counsel in the case, said in an interview that hundreds of thousands of names of innocent individuals will be erased from the NYPD database as a result of the settlement.  Legislation signed in 2010 by Governor David Paterson barred the NYPD from retaining stop-and-frisk data when the individual questioned was let go without an arrest or summons (NYLJ, July 19, 2010). But the legislation did not require expunging information on cases where the target was arrested or issued a summons, even if the charge was ultimately dismissed, leaving the city with a partial investigatory tool. On behalf of Lino and Khan and several hundred thousand other citizens, the NYCLU brought a class action arguing that the records should also be expunged. Acting Supreme Court Justice Barbara Jaffe dismissed the case for lack of standing, but she was reversed by the Appellate Division, First Department (NYLJ, Dec. 21). The appeals court revived the plaintiffs’ case, resulting ultimately in the settlement.  [New York Law Journal]

US – IRS Manual Detailed DEA’s Use of Hidden Intel Evidence

Details of a U.S. Drug Enforcement Administration program that feeds tips to federal agents and then instructs them to alter the investigative trail were published in a manual used by agents of the Internal Revenue Service for two years. The practice of recreating the investigative trail, highly criticized by former prosecutors and defense lawyers after Reuters reported it this week, is now under review by the Justice Department. Two high-profile Republicans have also raised questions about the procedure.  [Source]


CA – Live Traffic Map Uses Vancouver Drivers’ Cellphone Data

Drivers in the Vancouver area are unknowingly helping to track traffic congestion, as their cellphone GPS signals are being automatically fed into a new online traffic map. TransLink, Transport Canada and B.C.’s Transportation Ministry have unveiled an online, colour-coded traffic map of the Lower Mainland with real-time updates that indicate areas of congestion. “It tracks your cellphone signals, and based on that, it directs that data online,” said TransLink spokeswoman Jiana Ling. Ling said TransLink does not receive any personal data from cellphone signals and that all personal information is “scrambled and anonymized” before it is pushed to the map. “Cellphone signals within the telecom network gets picked up and stripped off of any personal information at the source,” Ling said in an email statement to CBC News. “TransLink’s data provider then processes the anonymous cellphone signals through a specialized algorithm. This algorithm generates the average speed of commuters on the road network and TransLink posts this information online. The algorithm can only generate the average speed of the road network, it cannot identify the travel patterns of any specific cellphone user.” But Tom Keenan, an online security expert at the University of Calgary, questions how secure the software is. “If they did a good job, the hackers will walk away and say, ‘We can’t get anything.’ If they did a bad job, you can be rest assured that your Uncle Charlie is going to be tracked on the freeway.” Micheal Vonn, policy director for the BC Civil Liberties Association, said TransLink failed to commission a privacy impact assessment for the map, something it is legally bound to do. “In the rush to use these new technologies, the obvious steps for consideration around privacy and security have been missed,” Vonn said. Ling said TransLink conducted an internal review and decided a privacy assessment was not required since the data it receives does not contain any personal information. [Source]  See also: [ON: Desjardins tests device that will monitor drivers’ habits]

US — “Spoofers” Use Fake GPS Signals to Knock a Yacht Off Course

University of Texas researchers recently tricked the navigation system of an $80 million yacht and sent the ship off course in an experiment that showed how any device with civilian GPS technology is vulnerable to a practice called spoofing. Led by GPS expert Todd Humphreys, the researchers used a handheld device they built for about $2,000. It generates a fake GPS signal that appears identical to those sent out by the real GPS. The two signals reach the targeted system in perfect alignment. The strength of the fake signal slowly ratchets up and overtakes the real one. The yacht’s captain offered up his boat for the experiment after seeing Humphreys give a presentation at this year’s SXSW conference. The takeover took place in June while the boat was traveling in the Mediterranean off the coast of Italy. From a perch onboard the yacht, the spoofing researchers shifted the ship’s course three degrees to the north. They also convinced the yacht’s GPS system that the boat was underwater. [Source]

WW – Kids’ App Prevents Tracking and Targeting

A mobile app developer has released a new iOS app that aims to prevent web-browsing data and other in-app activity from being shared with third parties, Broadway World reports. Disconnect Kids also includes an educational function to introduce children and parents to online privacy issues. Features include a mobile tracking blocking function, a comic book discussing online tracking and targeting and two animated videos to help children and parents understand and control their personal data. [Source]


WW – IBM Gets Certified Under APEC Privacy Rules

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.” [IBM Press Release]

CN – China Issues Regulation on Collection and Use of Personal Data

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here). In its final form, the Internet Provisions reiterate most of the specific provisions relating to the collection and use of a user’s PI found in the draft for public comment (see our previous client alert on the draft here).  Now binding, these provisions require TSPs and IISPs to: • Post PI collection and use policies at their place of business or online; • Not collect or use a user’s PI without the user’s consent; • Notify users regarding collection and use of PI, including the purpose, method, and scope of use, as well as avenues for the user to consult or amend the information, and the consequences if a user fails to provide the required information.  (Notably, the final version of the Internet Provisions states that its rules regarding user notice and consent will supersede any other law or regulation on this point, which would appear to include the December 2011 promulgated Several Provisions on Regulating the Market Order of Internet Information Systems.) • Maintain strict confidentiality of a user’s PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others; and to • Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days.

The Internet Provisions also provide that in circumstances in which a TSP or IISP entrusts a third party with PI for the purposes of providing “direct services” to the user, the TSP or IISP should “supervise and manage” the third party’s utilization of the PI and not entrust PI to any third party unable to meet the PI protection requirements set out in the Internet Provisions.

PI Storage and Handling Security Requirements: Significantly, the Internet Provisions mandate the adoption of eight internal security measures in order to avoid disclosure, loss, damage or distortion of a user’s PI, including requirements to: • Establish an internal safety management system and associated workflows for the collection and use of a user’s PI and other related activities, and to confirm the related responsibilities for protecting PI within each department, branch, and position in an organization; • Limit access by employees and agents to data, and carry out supervisory activities over bulk export, reproduction, or deletion of PI, and to adopt necessary measures to protect against unauthorized disclosure; • Guarantee appropriate storage and security measures for the protection of storage devices containing PI; • Conduct access checks for systems containing users’ PI, and adopt anti-virus and anti-intrusion measures; • Record the details for any individual’s handling of a user’s PI, including such information as the time and place of system access; and • Implement telecom security precautions in accordance with relevant MIIT regulations regarding network security.

The Internet Provisions also strengthen government inspection rights by permitting government authorities to conduct “supervisory inspections” that may include requests for all “related materials” as well as permission to enter the facilities of any TSP or IISP to investigate compliance efforts. [Source]

Online Privacy

US – Mayer Resigns from DNT Group

Stanford’s Jonathan Mayer has resigned from the working group tasked with creating a Do-Not-Track standard for the Internet. “We do not have a credible timetable—and we’ve just adjourned for a month. We do not have a definitive base text. We do not have straightforward guidelines on what amendments are allowed…This is not process: This is the absence of process,” he wrote. Mayer’s resignation comes on the heels of his comments in June indicating that if the group could not reach consensus in the month that followed, it would be time to “call it quits.” [GigaOm]

WW – Twitter Retargeting Service Gets Advocate Approval

The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.” [Source]

Other Jurisdictions

NZ – NZ Websites Fall Down On Data Privacy

The Privacy Commissioner says New Zealand websites and apps need to do a better job of telling users what they are doing with people’s information and how secure that information is after nearly a third were found to have flawed privacy measures. Commissioner Marie Shroff made the comments in response to a global survey of sites, including New Zealand examples, which found a large proportion had no privacy policy, an inadequate policy, poor contact information or other concerns. They included websites or apps for schools, legal firms, and retailers. The Global Privacy Enforcement Network sweep of websites checked the transparency of 393 New Zealand sites. The survey found that 125 sites or apps did not have a privacy policy or an equivalent – a finding which Ms Shroff said was disappointing. [Source]

AU – Australia Gunning to Become World Leader in Big Data Analytics

The Australian Government Information Management Office has released its Public Service Big Data Strategy that aims to “position Australia as a world leader in the public sector use of Big Data analytics to deliver service-delivery reform, better public policy and protect citizens’ privacy.” The report discusses Big Data’s role in improving the targeting of services and the ability for businesses to offer more tailored services in accordance with individual and community needs, but it also notes privacy concerns that must be addressed before full benefits are realized. Agencies must develop better practices when it comes to cross-agency data sets and data deidentification, for example. [ZDNet] See also: [Czech Republic: Big Data, Big Deal?]

AU – Provision Could Label Data Transfers as Breaches

A provision in Australia’s proposed data breach notification legislation “could deem the unauthorised transfer of data from Australia to another country a breach.” In an interview, Françoise Gilbert notes, “Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures…Australia is sort of following this trend and becoming much more serious about the cross-border data transfers.” The proposed law also calls for a requirement for organisations to notify stakeholders in the event of a breach. [GovInfoSecurity]

Privacy (US)

US – House Committee Creates Privacy Working Group

The U.S. House Commerce, Manufacturing and Trade Subcommittee has created a bipartisan privacy working group to focus on online privacy. With Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) as its chairs, the working group will also include Reps. Joe Barton (R-TX), Pete Olson (R-TX), Mike Pompeo (R-KS), Jan Schakowsky (D-IL), Bobby Rush (D-IL) and Jerry McNerney (D-CA). Blackburn said the working group will “seek opportunities where Congress can forge bipartisan agreement to better protect consumers’ sensitive information and foster U.S.-based innovation,” while Welch added that given advancements in technology, it is “more important than ever that we make sure the consumer’s right to privacy is protected.” [Broadcasting & Cable]

US – Judge Rules Apple Can’t Dismiss Class-Action

A federal judge has ruled that Apple cannot dismiss a class-action alleging it let third parties upload user information from applications on their mobile devices. The judge said lead plaintiff Maria Pirozzi was able to make a “causal connection” between statements Apple made about the iPhone and the safety of its apps and her loss, the report states. “Plaintiffs alleged loss is clear: Apple claimed that apps could not access data from other apps…in actuality they can and have.” [ Courthouse News Service]

US – Judge Dismisses Privacy Claim Against Neighborhood Photographer

New York State Court Judge Eileen A. Rakower has dismissed a claim against photographer Arne Svensen that alleged invasion of privacy. Svensen is a photographer who took photos of his neighbors through their windows, without their knowledge, and displayed the images in an art show. Rakower said the photos are protected under the First Amendment. New York’s civil rights laws “yield to an artist’s protections under the First Amendment under the circumstances presented here,” Rakower wrote. [Photo District News]

US – Court: Vehicle Records Must Be Reasonably Cared For Before Resale

A U.S. Court of Appeals has ruled that companies that resell personal information from motor vehicle records are subject to a “duty of reasonable care before disclosing such information pursuant to the Driver’s Privacy Protection Act (DPPA).” The court ruled on July 31 in Gordon v. Softeach Int’l that “Given the nature of information available through motor vehicle records—e.g., Social Security number, medical or disability information and home address—the DPPA’s purpose would be severely undermined if resellers’ disclosures were not subject to a duty of reasonable inquiry.” [Bloomberg BNA]

US — Chief Justice Roberts Underscores the Issue of Privacy

Chief Justice of the U.S. Supreme Court John G. Roberts Jr. says privacy will be the biggest constitutional issue facing the court for years to come. Among the privacy questions that courts have considered:

  • Can police attach a GPS device to the vehicle of someone they want to track without first obtaining a warrant? In a ruling early last year, the Supreme Court said no. To do so is a violation of the expectation of privacy and, thus, of the Fourth Amendment.
  • Can police take DNA samples from those arrested, but not convicted, of serious crimes? The Supreme Court said yes, in a ruling this spring.
  • Are personal emails protected by federal privacy laws, such as those that cover traditional mail? Different courts have reached different conclusions. In April, the Supreme Court refused to take up the case. So who knows?
  • Can police search cellphone data of people they have arrested? Again, courts have issued different rulings. The Supreme Court has not considered the issue yet.

Other issues:  Can employers demand to see the private Facebook accounts of job applicants? Can they discipline employees for what they say on social media? Questions such as these have developed quickly over the past 10 to 20 years and there is no reason to think the pace of change will slow down, such is the rapidity with which technology continues to evolve. The courts can barely keep up, which helps explain Roberts’ view of the issue. These are important, bedrock issues that will continue to work their way through the courts for decades to come. That is not simply an issue for judges, but for presidents, senators and, at root, voters. [Source]


UK – London’s Bins Are Tracking Your Smartphone

A UK-based authority has called for the end of WiFi tracking by recycling bins placed across London. The “pods” feature LCD screens that show advertisements to passersby, but can also record smartphone movements and other details. The City of London Corporation (CLC) has alerted the Information Commissioner’s Office of the bins, which have allegedly recorded the details of 4,009,676 devices from pedestrians in one week. “Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public,” the CLC said. Financial Times reports the company behind the bins says there is potential to help companies predict “personal habits” of consumers. [The Independent]

UK – City of London Bans Wi-Fi Tracking Trash Bins

The City of London Corporation has asked a company called Renew London to stop using devices embedded in trash bins to gather data from and track smartphones. The high-tech trashcans play advertisements on an integrated flat-screen. The devices in the bins log smartphones’ media access control (MAC) addresses. There are presently 12 tracking devices installed in recycling bins around the city. A statement from the UK Information Commissioner’s Office (ICO) reads: “Any technology that involves the processing of personal information must comply with the Data Protection Act,” and noted that it “will be making enquiries to establish what action, if any, is required.” Renew London has suspended trials of the tracking program. [BBC] [ArsTechnica] [The Register] [] [ArsTechnica]


US — White House Lists Incentives to Adopt Cyber Security Framework

The White House has compiled a list of incentives that it hopes will encourage private sector companies, especially those that support elements of the country’s critical infrastructure, to adopt practices described in the Cybersecurity Framework. The incentive areas include cybersecurity insurance, grants, and liability limitation. [SCMagazine] [CNET] [ComputerWorld] []

US – Survey: CIO, CISO Not Part of Insurance Decision

A new survey conducted by the Ponemon Institute reveals that approximately one-third of businesses and public-sector organizations purchase cyberinsurance, but chief information officers and chief information security officers often have “very little influence” in the purchase decision. Among the 638 U.S. organizations canvassed, there is “still a lot of skepticism about whether such insurance is worth the cost,” the report states. [Network World]


US – NSA Is Casting “Far Wider Net” Than Previously Disclosed

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” [New York Times] See also: [How A ‘Deviant’ Philosopher Built Palantir, A CIA-Funded Data-Mining Juggernaut] and also: [How Big Data Could Help Identify the Next Felon — Or Blame the Wrong Guy]

US – Obama Meets with Tech Biz; Snowden’s E-mail Provider Shuts Down

President Barack Obama met with CEOs from Apple, AT&T and other U.S.-based technology companies to discuss government surveillance, just days after meeting with privacy advocates, POLITICO reports. On the same day, officials from the FBI, CIA and NSA spoke about cybersecurity, and e-mail service provider Lavabit —which offered high-level encryption services and was reportedly used by whistleblower Edward Snowden—announced it was immediately shutting down its service. Lavabit owner and operator Ladar Levison said it was a “difficult decision: to become complicit in crimes against the American people or walk away” from his company. He added the experience has taught him that “without congressional action or a strong judicial precedent, I would_strongly_recommend against anyone trusting their private data to a company with physical ties to the U.S. government.” Snowden said U.S. tech companies “must ask themselves why they aren’t fighting for our interests (in) the same way.” Additionally, Silent Circle announced it was shutting down its encryption e-mail service. [The New York Times]

WW – Satellite Technology a Boon for Business

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” [Source]

UK – CCTV Code of Practice Comes Into Force After Privacy Concerns

The Home Office has introduced a CCTV code of practice to try to curb the excessive use of cameras for surveillance by increasing numbers of private and public sector organisations. However, there is no enforcement of the code and no fines for breaking it.The code, set out by the Home Office earlier this year, acknowledges that CCTV can be vital to security and surveillance, but said it must have a “legitimate aim” and be “compliant with any relevant legal obligations”. In particular, concerns have grown over recent years over the way CCTV is being used for excessive monitoring, such as in taxis, which was deemed illegal by the Information Commissioner’s Office last year. The code states: “This code has been developed to address concerns over the potential for abuse or misuse of surveillance by the state in public places, with the activities of local authorities and the police the initial focus of regulation.” To try and enforce this there are 12 points that CCTV operators must follow that cover a range of issues, from use to data retention and the ability to contact the people running the cameras to access information. [Source]

Telecom / TV

WW – Android 4.3 Keeps WiFi On, Even When It’s “Off”

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns [ValueWalk] See also: [Baby monitor hacked, spies on Texas child] And also: [Is Advising Clients To Clean Up Social Media After Filing a Lawsuit Questionable? ]

US Government Programs

US – NSA to Create Full-Time Privacy Officer; Obama Proposes Changes

In his first news conference since April, President Barack Obama defended the National Security Agency (NSA) surveillance programs, called for more transparency along with a task force charged with reporting on the programs and proposed four changes to the existing programs. Obama said the NSA will create a full-time privacy and civil liberties officer. The White House released a 22-page whitepaper defending the domestic collection of phone metadata, and the NSA also released a seven-page document detailing its role and authority. [The New York Times]

US – NSA Plans to Eliminate System Administrators

In an effort to reduce the risk of information leaks, the US National Security Agency (NSA) plans to get rid of 90 percent of its contracted system administrator positions. NSA Director General Keith Alexander said that the agency plans to move to an automated cloud infrastructure. Speaking on a panel along with FBI Director Robert Mueller at a security conference in New York, Alexander referred to the recent revelations about the scope of NSA surveillance, noting that “people make mistakes. But … no one has willfully or knowingly disobeyed the law or tried to invade … civil liberties or privacy.” [NBC News] [ArsTechnica] [The Register]

US Legislation

US – SB 1386 10 Years Later and the Path Forward

“Whether or not you view the passage of California’s SB 1386 data privacy law in 2003 as a watershed moment in the information security world, few can argue that its enactment significantly changed the infosec playing field,” writes Randy Sabett for Search Security. Sabett predicts that the trend started by SB 1386 “of increasingly proactive and granular state data privacy laws will continue to evolve” by focusing on the obligations of stakeholders—mainly those that are collecting the data, and he also expects to see federal privacy legislation. “For now though, it seems that there are too many stakeholders with varied interests to get an ‘omnibus-style’ bill on the books.” [Source]

US – Ohio Case Demonstrates Danger in BYOD Policies

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring-your-own-device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.” [Source]

US – Vote Delayed on E-Mail Warrant Bill

The Hill reports on the delay in “a vote on legislation that would require police to obtain a warrant before accessing e-mails and other online messages.” Senate Judiciary Committee Chairman Patrick Leahy (D-VT) had pressed for a vote prior to the August recess, “but at least one Republican objected to the bill,” resulting in the delay, the report states. If passed, the legislation will limit law enforcement’s ability to access private online messages. Currently, the Electronic Communications Privacy Act of 1986 only requires a subpoena to require Internet companies to provide access to such communications if they have been opened or are more than 180 days old. [Source]

US – Will Congress Legislate Glass?

In a world where laws are constantly playing catch-up with technology, Google Glass offers a possibility for preemptive legislation. Four states have introduced laws to ban Google’s wearable computer Glass while driving; casinos and healthcare facilities are also beginning to ban it; it’s not allowed in the Speaker’s Lobby of Congress, and now Congress is trying to figure out what to do about the privacy and legal issues surrounding the device. All before it’s even available for public consumption. [Politico]

US – New Jersey Bill To Allow Warrantless Cellphone Searches Contested

Proving illegal cellphone use was the cause of a car crash can be difficult for law enforcement. So one New Jersey lawmaker aims to make the process easier by proposing legislation that would allow police to search through a driver’s cellphone after a crash without a warrant. Sen. James Holzapfel (R-Ocean) proposed the legislation in June, but privacy advocates have called it unconstitutional. “We’re entitled to have a zone of privacy, and just because technology threatens to pierce that zone of privacy…doesn’t mean we should give up our constitutional protections,” said a trial lawyer and privacy expert. [Source]

US – Court: Gov’t Doesn’t Need Search Warrant for Location Data

A federal appeals court has decided that government authorities can extract historical location data directly from telecommunications carriers without a search warrant. The court ruled that such searches are constitutional because location data is a “business record” and so is not protected by the Fourth Amendment, the report states. The decision could have implications for other government initiatives to collect metadata under the premise that it constitutes a business record. “It doesn’t make it a slam dunk, but it makes a good case for the government to argue that position,” said one expert. This follows a decision Monday on the searches of cell phones in general where judges said they believe it’s a matter for the Supreme Court. [the New York Times]

US – Appeals Judges: Supreme Court Should Decide Cell Search Case

Following the First U.S. Circuit Court of Appeals’ decision Monday not to rehear a case involving whether warrants are needed to search cell phones, “two First Circuit judges said they voted against rehearing the case in order to speed its path to the U.S. Supreme Court.” In May, the Appeals Court decided 2-1 that Boston police needed a warrant to search a suspect’s cell phone, and earlier this month, Justice Department lawyers asked the court to rehear the case. “Ultimately this issue requires an authoritative answer from the Supreme Court, and our intermediate review would do little to mend the growing split among lower courts,” wrote Judge Jeffrey R. Howard, and Chief Judge Sandra Lynch wrote, “The preferable course is to speed this case to the Supreme Court for its consideration.” [The Wall Street Journal]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate]

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013—which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Franken Introduces Surveillance Transparency Act of 2013

Sen. Al Franken (D-MN) has introduced a bill that would require more transparency around government collection of broadband and phone info. “The Surveillance Transparency Act of 2013 would expand and improve ongoing government reporting about programs under the PATRIOT Act and Foreign Intelligence Surveillance Act that have been the subject of controversy in recent weeks,” said Franken’s office in its announcement. [Multichannel News]

US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance. [ABC’s This Week]

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

At a recent Senate Judiciary Committee hearing senators from both sides of the aisle pressed representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [The Privacy Advisor ]


The FTC has updated its Frequently Asked Questions (FAQs) about changes to the Children’s Online Privacy Protection Act (COPPA). Updates include share buttons, actual knowledge and information collected from child-redirected sites. If an app includes a share button that allows children to send or post information, “verifiable parental consent” is required; clarity on the actual knowledge standard is provided, and best practices are offered to third parties that discover personal information from a child-directed site has been collected. Recent COPPA revisions by the FTC went into effect on July 1. [Full Story ]

US – Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the FTC to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – Utah Law Allowing Administrative Subpoenas Challenged

Legislators are joining privacy advocates in criticizing a Utah law, passed in 2009, that allows prosecutors to obtain Internet users’ information without a warrant. These so-called “administrative subpoenas” allow Investigators to order Internet companies to hand over a user’s name and address, Web session times and durations, local and long-distance phone records and banking information when relevant to cases. The law has been used roughly 1,200 times since its passing. Now, however, privacy advocates and legislators alike are questioning whether the law is in line with the constitution, though it hasn’t yet been challenged in court. Rep. Brian Greene (R – Pleasant Grove) told the Salt Lake Tribune in an e-mail interview that he would favor legislation to scale back the law. Another member of the Judiciary Interim Committee, which has held hearings on the law, Sen. Luz Robles (D-Salt Lake City), said protections should be added to the statute to ensure it’s being used out of necessity, not convenience. Full Story

US — North Carolina Delays Drones with Budget Law

Under North Carolina’s budget law, without the state chief information officer’s okay, no government entity may buy or operate a drone “or disclose personal information about any person acquired through the operation of an unmanned aircraft system” before July 2015. Rep. Jason Saine (R-Lincoln) says the delay is to allow for time to look into concerns about the possibility for police to obtain 24-hour public surveillance abilities. There are exceptions to the rule, and the department of transportation reportedly has plans to acquire a drone in conjunction with the launch of a drone research field. [The Miami Herald ]

US – New York Court Rules DMV-Data Brokers Not Liable for Subsequent Use

The New York Second Circuit ruled that while companies that sell DMV information cannot be held liable under the Driver’s Privacy Protection Act for a purchaser’s use of that information, it “held that companies must uphold a certain standard of care in evaluating statutory disclosure exceptions.” [Law360]

Workplace Privacy

US – Ohio Case Demonstrates Danger in BYOD Policies

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring your own device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.” [Source] See also: [Bra Sizes of Female Detroit Police Officers Emailed to Coworkers] and [NZ:  Sacked woman ordered to show her Facebook pages to prove she didn’t misuse sick leave] See also: [ON: Privacy watchdog’s advice sought for grant-rejection policy]



16-31 July 2013


US – Advocates Support Banning Biometrics in Schools

As more schools explore and adopt security systems for identification purposes, such a move “recently caused a stir in Florida when Polk County Schools decided to incorporate biometric data systems.” The use of technology such as iris scans could soon be banned in the state’s schools, the report states, noting the school district launched a pilot program “allowing a security company to install iris scanners on school buses” without notifying parents in advance. The security company has said it deleted all information gathered, but concerns remain and the ACLU of Florida says a bill is in the works to ban such systems, the report states. [WFSU]


US – Privacy Predicted to Be Next Competitive Differentiator

A Forrester survey that finds 62% of consumers say they would be “not at all likely” to do business again with a company known to have shared their PII with a data broker. Further, 37% report that they’ve abandoned a transaction online due to something they didn’t like in the terms of service, including the privacy policy. Finally, the study commissioned by analytics firm Neustar finds more than a quarter of respondents now using ad-blocking software. This leads Forrester to conclude that privacy is “the new green movement.”[GigaOm] See also: [New trends in data-driven remote healthcare in the U.S.]

WW – Consumers Changing Their Browsing Habits

New reports on the changing browsing habits of consumers in light of the recent NSA disclosures. Meanwhile, a new browser add-on has been introduced on Monday that aims to shield consumers from data mining by preventing users from disclosing contact information, CNET News reports . MaskMe, created by Abine, creates and manages “dummy” accounts for a user’s e-mail, phone number, credit card and website logins. According to the company, consumers tend to lose out in the “data-for-service exchange,” while companies win. Abine’s Sarah Downey said, “The real lesson is, ‘Stop: Don’t give out your personal information.’“ [The Associated Press]

US – Companies Shifting to Meet Consumer Expectations

Products are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data. [Forbes]


US – Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. [Technology’s Legal Edge]


US – Microsoft Denies Giving NSA Unfettered Access to eMail

Microsoft says it is within its First Amendment rights to disclose national security requests for user data. Microsoft also says that it does not provide the NSA with encryption keys to access email, despite reports that they were helping the intelligence agency bypass security measures to access web chats through Outlook and putting backdoor access in its products to aid federal investigations. [eWeek] [The Register] [ComputerWorld] [ZDNet]

Electronic Records

US – New “Hub” Database Raises Privacy Concerns

As part of the massive overhaul of America’s healthcare system, databases from seven U.S. agencies—from the Internal Revenue Service to the Peace Corps—will be tied together in one $267 million computer system called the Hub to determine which U.S. citizens can purchase medical coverage. The size and breadth of the system is raising red flags from some who are concerned about privacy and security risks, as the system will include data such as identity, citizenship, income and family size. One lawmaker queried, “It’s information on 300 million Americans, all compiled in one place—what could go wrong?” Others note, however, that the system can only access data on potential enrollees and there’s not a central storage center for the data. [Source]


WW – Facebook Browsing Now “Secure” by Default

Earlier this week, Facebook made “secure” browsing a default setting. The option to use TLS (Transport Layer Security) encryption has been an available for two years. “Secure” browsing means that data sent to Facebook servers by users will be encrypted. Among the reasons it took this long for Facebook to make “secure” browsing the default setting is that the company had to wait for third-party applications to upgrade their platforms to avoid compatibility issues. [ComputerWorld]

EU Developments

EU – Hawkes Says Google, Facebook Safe from Audit

While Irish DPA Billy Hawkes announced last week he was beginning a formal audit of LinkedIn, the Office of the Data Protection Commissioner (ODPC) has said in e-mail correspondence with advocate group it will not be investigating Facebook and Google in relation to the NSA revelations. “We do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that ‘Safe Harbor’ requirements have been met,” the ODPC wrote. However, that Safe Harbor agreement is now consistently under fire. Earlier this week, EU Justice Commissioner Reding said she would be reviewing the agreement, and now German privacy officials are calling on Chancellor Merkel to push for suspension of the Safe Harbor agreement. [The Independent]

EU – Commissioner Begins Inquiry Into LinkedIn

Irish Data Protection Commissioner Billy Hawkes has launched an audit of social networking firm LinkedIn, adding it could have ramifications worldwide. Hawkes has confirmed his team has begun the audit as part of a process that will look into all social media firms based in Ireland. LinkedIn suffered a data breach earlier this year. [The Independent]

EU – Safe Harbour Agreement “Under Review”, Says European Commission

Vice President of the European Commission Vivane Reding said the commission will present a “solid assessment” of the current Safe Harbor agreement between the EU and U.S. by the end of the year. The European Parliament has called on the commission to conduct such a review following revelations that Safe Harbor parties were involved in the U.S. National Security Agency’s surveillance program. Reding has said, “The Safe Harbor agreement may not be so safe after all.” []

EU – European Parliament Wants NSA Chief to Testify

The European Parliament is set to initiate an investigation into the NSA surveillance program disclosures and is amassing “an interesting list of witnesses” to testify about the issue, including U.S. National Security Agency Chief Gen. Keith Alexander, whistleblower Edward Snowden and The Guardian’s Glenn Greenwald. European Parliament plans to hold the series of hearings about the programs in September. A Deutsche Welle report asks if European Union interior ministers are partly responsible for collaborating with U.S. security agencies. European Home Affairs Commissioner Cecilia Malmström said that the EU is not solely responsible for data protection as security agency activities generally come under the jurisdiction of member states. [Slate]

EU – Germany Wants UN Privacy Charter

In response to the NSA disclosures, senior German government officials are lobbying for expansion of the 1966 UN human rights treaty to cover modern forms of communication such as e-mail and social networks. German foreign and justice ministers sent a letter—which was released more broadly on Wednesday—to their European Union counterparts last week: “We want to use the current debate to launch an initiative that would outline the inalienable privacy rights under current conditions.” The letter also suggests convening all 167 parties to the International Covenant on Civil and Political Rights. German data protection authorities have also called for suspension of a key data-sharing agreement between the EU and U.S. [The Associated Press]


UK – Critics Say UK Prime Minister’s Web Filtering Plan is Misguided

UK Prime Minister David Cameron’s plan to make Internet service providers (ISPs) and search engines filter pornography is seen by some as misguided. Open Rights Group executive director Jim Killock notes that “banning search terms seems unlikely to combat the serious activity, which is independent of search engines.” And technology journalist Simon Bisson writes, “What the UK government should be concentrating on is an effort to break the financial ties that hold the darknets together. Finding who holds the purse strings is a complex task, but it’s a technique that has been proven to work time and time again. And perhaps it should also be noted that it’s an approach that’s well within the capabilities of the powerful surveillance tools that government security agencies have put in place … to combat terrorism.” [ZDNet] [BBC] [CNET] [ComputerWorld] [Draft of Cameron’s Speech]


US – 160 Million Credit Cards Stolen; Indictment Reveals Wall Street Exposure

Five people have been indicted in connection with a series of major cyberattacks that compromised more than 160 million credit card accounts over a seven-year period. A separate indictment of one of the men exposed a two-year-long penetration of computers at the NASDAQ and shined a light on the vulnerability of global financial systems. The five men named in the indictment were allegedly involved with breaches for which Albert Gonzalez is currently serving a 20-year prison sentence. Between 2005 and 2012, the group allegedly breached systems at Heartland Payment Systems, Hannaford Brothers, and Dexia Bank Belgium, and a number of other organizations. [NYTimes] [WIRED] [ComputerWorld] [KrebonSecurity] [BBC] [CNET] []

US – Bank Glitch Exposes Data on 150,000 Customers

“In a case that could serve as a warning to other banks that contribute customer data to public storehouses,” Citigroup said it improperly protected consumer data—including Social Security numbers, birth dates and other sensitive information—when it shared nearly 150,000 records with the government’s legal document system, otherwise known as the Public Access to Court Electronic Records (PACER). The bank reached a settlement with a division of the Justice Department to redact the customer data at its own expense, notify those affected and offer one year of free credit monitoring. In a statement, the bank said, “The redaction issues primarily resulted from a limitation in the technology Citi had used to redact personally identifiable information in the filings.” [American Banker]


US – Hulu: “Anonymous” Data Not Covered By VPPA

In new court papers filed last week, Hulu argues that sharing “anonymous” data about its users’ viewing habits with third parties is not a violation of the Video Privacy Protection Act (VPPA). Filed with U.S. District Court Judge Laurel Beeler in San Fransisco, the company wrote, “Hulu cannot be liable for disclosing anonymous user ID to comScore or Nielsen or to any other service provider.” Hulu acknowledges it shares users’ viewing histories, but removes names and any other identifying information. Instead, it assigns each user with an anonymous user ID prior to transmitting the data. In the class-action lawsuit filed against the company, users allege that third parties with whom the data is shared can re-identify the information. Hulu said it stopped the practice allowing such re-identification two years ago. [MediaPost News]

Health / Medical

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – VA Seeks Breach Lawsuit Dismissal

The VA has motioned to dismiss a lawsuit filed by patients affected by a breach earlier this year at William Jennings Bryan Dorn VA medical center. The VA filed the motion on grounds that plaintiffs have failed to prove the breached records were improperly disclosed. More than 7,400 patient records were on a laptop that was stolen last April. The government is now arguing that with lack of evidence that an unauthorized person viewed the records, the breach should not be considered improper disclosure under the Privacy Act, the report states. [HealthITSecurity]

WW – Google to Make $8.5 Million Donation in Settlement

Google will make an $8.5 million donation to nonprofit organizations in order to settle a class-action lawsuit alleging it leaked the names of search users. Google will also revise the “frequently asked questions” section of its privacy policy, the report states. Recipients of the settlement include the World Privacy Forum, Carnegie-Mellon, Harvard Law’s Berkman Center for Internet and Society and Stanford Law’s Center for Internet and Society. [MediaPost News]

Horror Stories

US – SEC, Retailer Announce Breaches

The Securities and Exchange Commission (SEC) has announced a data breach after a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees on to a thumb drive and then transferred the data to another agency. The SEC did not learn of the incident until 10 months after it occurred. It is unclear how many employees were affected. Meanwhile, retailer Lakeland has warned customers of a potential data breach after two encrypted databases were accessed. [The Hill]

US – OHSU Reports 3,000 Records Breached

The Oregon Health & Science University has notified more than 3,000 patients their personal data was compromised after it was discovered the data was placed by resident physicians on two information-sharing services. Compromised data included patient names, medical record numbers, dates of service, diagnoses and providers’ names. The school said, “There is no evidence that the data were accessed or used by anyone who did not have a legitimate patient-care need to view the information.” [ModernHealthcare]

US – Details Emerge on Monroeville Breach

A situation involving the Office for Civil Rights (OCR) and the Monroeville, PA, 911 dispatch center in which the OCR told the center is had 30 days to conduct an investigation on protected health information that was exposed for a former police chief. Details obtained by the Pittsburgh Post-Gazette reveal that details on Monroeville 911 records were available to unauthorized individuals for an extended period of time, among other revelations. Meanwhile, a programming error has led to a data breach at Indiana Family and Social Services Administration. [Health IT Security]

US – Citibike Notifies 1,200 of Breach

NYC Bike Share, the company that designs and manages the Citibike sharing system, has notified nearly 1,200 customers that their credit card numbers, names and addresses were mistakenly posted on the back pages of its website for approximately 24 hours. The glitch reportedly occurred between April 15 and late May. One customer notified by the company said she was glad to have been notified directly, though she was surprised the incident happened. Some businesses just post cryptic messages on their websites, she said, adding, “I felt in a way they handled it more responsibly.” [New York Post]

US – Stanford Breached; Recognizing Bank Breaches

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.” Meanwhile, Bank Systems & Technology writes, “we have found that many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.” [Source]

US – Medicaid Patient Records Potentially Compromised Via E-mail

The Office of the Medicaid Inspector General (OMIG) has announced an internal employee in New York sent 17,743 Medicaid patient records to a personal e-mail account in October 2012. The employee did not have OMIG consent to send the e-mail and has been placed on administrative leave. The potentially compromised information may have included patients’ first and last names, dates of birth, Medicaid client information numbers and Social Security numbers, the report states. [Health IT Security]

US – 1.8m Affected by Ubuntu Breach, Apple Hacked

Ubuntu Forums has suffered a massive data breach, the company announced on its site. Every user’s local username, password and e-mail address were stolen from the company’s database. Approximately 1.82 million users are subscribed. Meanwhile, the University of Virginia has notified 18,700 students of a recent data breach after a third-party mailing vendor accidentally sent the students’ Social Security numbers in brochures mailed to home addresses, and Apple says its website for developers has been breached, but says customer information is encrypted and was not affected. [ZDNet]

Identity Issues

US – Deception Is at the Heart of PLSC-Winning Papers

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, IAPP interviews the winners and discusses their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them. [Privacy Advisor]

Intellectual Property

US – State AGs Want Ability to Prosecute ISPs for Third-Party Content

“If you want to run a European Internet company dealing with user-generated content, be prepared to put your personal liberty at stake.” The analysis is based on recent cases involving ISP executives charged with various crimes due to the content their users posted. But Europe isn’t the only place such dangers lurk. At a meeting of the National Association of Attorneys’ General last week, it was revealed that some state AGs are drafting a letter to Congress that would exclude state criminal prosecutions from Section 230, a provision that says websites aren’t liable for user-generated content or other third-party content. Essentially, the change would allow state AGs to prosecute Internet companies, including their executives, for violating state law via publication of third-party content. [Forbes]

Internet / WWW

WW – The Good, the Bad and the Ugly of the Internet of Things

In anticipation of a roundtable discussion on the Internet of Things this November, the FTC has released submitted comments—coming from industry, privacy advocates, academics and regulators. This Privacy Perspectives post explores the potential benefits and drawbacks of this nascent phenomenon as well as the privacy discussions that need to be hashed out. Meanwhile, Kashmir Hill of Forbes writes about hacking into a smart home. [Source]

Law Enforcement

US – ACLU: Police Tracking Innocent People’s License Plate Data

An ACLU report reveals that police departments across the U.S. are using license-plate readers to capture and store information about individuals’ whereabouts—without their knowledge. The report found that data on even those who have not been accused of a crime is stored in the database. The ACLU says rules must be enacted to restrict how such technology is used and for how long such data is retained. Meanwhile, the Center for Investigative Reporting writes local officials are moving forward with a federally funded project that aims to combine data on surveillance cameras, gunshot detectors, license-plate readers, Twitter feeds and alarm notifications into a single tool for law enforcement. [The Hill]

US – Feds Arrest Five in Largest Hacking Scheme Ever Prosecuted

U.S. Attorney Paul Fishman announced today the indictment of four Russians and a Ukranian in what he is calling “the largest hacking and data breach scheme ever prosecuted in the United States.” From 2005 to 2012, Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov and Dmitriy Smilianets allegedly uploaded malware into the computer systems of large institutions like Dow Jones, NASDAQ, JetBlue and 7-Eleven, then used that access to download and sell as many as 160 million credit and debit card numbers, along with other PII. Stolen funds reached into the many hundreds of millions. [The Star Ledger]


US – NTIA-Led Group Releases Code of Conduct

After a year of meetings and deliberations, the multi-stakeholder group organized by the National Telecommunications and Information Administration released yesterday statements showing general support for its Short Form Notice Code of Conduct, along with concrete examples of what the “nutrition label”-like short-form privacy notice might look like. These new notices won’t replace long-form privacy notices, but will serve as quick guides to which information is being collected by mobile apps and for what purpose. However, use of the short-form notices remains voluntary, and, noted Adweek, only two of the stakeholders committed concretely to use of the code of conduct. Other groups, such as the ACLU and EFF, voted to support the short form notices, but without committing to a full endorsement. And another 17 groups voted for more consideration. “It is not a consensus and not done,” said Stu Ingis, of the Direct Marketing Association. [WashingtonPost]

US – DAA, NAI Each Release Mobile Privacy Rules

The Digital Advertising Alliance (DAA) has unveiled its long-anticipated mobile privacy code. The rules state that ad networks and other related third parties should provide notification for online behavioral advertising—also known as cross-app advertising—with a provided opt-out. Additionally, ad networks and app developers must obtain opt-in consent from users for geolocation and address-book data collection. The grace period for implementation is expected to be nine to 12 months, potentially longer. The DAA is also working on an AdChoices opt-out icon for mobile apps. DAA counsel Stu Ingis said, “We envision that there will be an app that has the AdChoices icon in it, that consumers can download…Through the app, consumers can exercise choice with respect to all of the third parties.” DAA member the Network Advertising Initiative has released their final version of mobile privacy rules as well. [MediaPost News]

US – Study Says Short-Form Notice Can Be Ambiguous

A new study conducted by Carnegie Mellon University (CMU) reveals that the U.S. Commerce Department short-form notice proposal, as it currently defines data collection notice categories, has the potential to confuse consumers. The proposal calls for app developers to describe data types that will be collected—such as “biometrics”—and what types of third parties receive collected data—such as “ad networks.” The study surveyed 800 consumers and four experts about which terms they would use to categorize collection practices. Lorrie Cranor, a CMU computer scientist who oversaw the study, said the terms are “not well-defined, even the experts weren’t sure how to apply them,” and added, “When you have a bunch of lawyers and policy people coming up with the consumer tools, they’re not going to come up with something that is necessarily usable.” [Online Media Daily]

US – Study: Mobile Health Apps Carry Privacy Risk

According to a new study released yesterday by Privacy Rights Clearinghouse, many mobile health apps carry privacy and security risks. The report surveyed 43 free and paid apps—including the top 20 paid apps in health and fitness categories—and found several did not have privacy policies, transmit data without encryption and send user data to third parties such as ad networks and analytics companies. Privacy Rights Clearinghouse Founder Beth Givens said, “Data security and privacy—from a technical standpoint—is abysmal.” [GigaOm]

WW – Next Gen Video Game Consoles Raise Privacy Concerns

There are growing concerns about the privacy and data collection capabilities of the next generation of video game consoles. With more integration planned between consoles and social networking sites and video chat platforms, including Skype, “consoles are becoming as connected as the other devices we use every day,” the report states. The new systems will also feature motion- and voice-controlled technology used for recognizing users. Electronic Frontier Foundation Senior Staff Technologist Seth Schoen said, “Video game consoles pose problems akin to those of mobile phones because users often have very little visibility into what devices are doing and very little control over the software running on the devices.” [NBC News]

Online Privacy

WW – Mozilla Unveils Personalization Project, Catches Flak

Mozilla announced on its Labs blog it has begun testing a new personalized browsing experience with Firefox, whereby users choose with which Web sites to share which PII in exchange for personalized content. Elsewhere, the company explained how this fits with its philosophy of “Personalization with Respect.” However, while TechCrunch noted this is still just in the testing stages, AdWeek called the announcement “ironic” in light of the company’s Do Not Track stance, and lined up advertising representatives to say worse: “So the takeaway is that it’s OK for Mozilla to track, but not third parties?” asked Alan Chapell of Chapell & Associates, co-chair of the Mobile Marketing Association’s privacy committee. [Source]

US – Twitter Transparency Report Shows Growing Government Demand for Data

Twitter says the U.S. government continues to make the most requests for data on subscribers. In the first six months of the year, federal authorities made 902 requests for user information. In the same period last year, it requested information on 815 subscribers, the company’s transparency report indicates. Additionally, the U.S. government’s requests comprised 78% of all requests for user data. In its latest blog post, Twitter said it has “joined forces with industry peers and civil liberty groups to insist that the U.S. government allow for increased transparency into these secret orders.” [Washington Post]

US – Just How Creepy Is Predictive Search?

The New York Times reports on the new trend of apps utilizing predictive search to alert users to information they didn’t know they needed. From Google Now to Evernote to MindMeld, these apps scan users’ e-mail, calendar, notes and other items in the cloud or on a device to predict which information will be useful in the near future. A user might receive an alert that traffic is bad between midtown and the suburbs because the app knows that’s where the 10 a.m. meeting is. However, some observers are calling the services invasive and creepy, while others point to issues around context. “What works for a group of 30-something engineers in Silicon Valley may not be representative of the way that 60-year-old executives in New York tend to use their phones,” says UPENN Wharton School Prof. Andrea M. Matwyshyn. [New York Times]

US – Pinterest to Honor DNT Settings

Pinterest has added new site-personalization features for users drawn from their web-browsing activities but has also provided users with an opt-out choice. The company also announced it will support and honor users’ who select Do-Not-Track settings. “We’re excited to give everyone a more personalized experience,” Pinterest wrote in a blog post on Friday, “but we also understand if you’re not interested! We support Do Not Track, and you can change your account settings anytime.” The Electronic Frontier Foundation (EFF) supported the moves, which are similar to that of Twitter. “Hopefully, the decisions of Twitter and Pinterest are the vanguard of a new industry standard around respecting Do Not Track and soon this will be the default of all major websites,” the EFF wrote. [GigaOm]

WW – Terms and Conditions Documentary Examines Internet Privacy Issues

Terms and Conditions is a recently released documentary that examines the evolution of Internet privacy policies over the last 15 years. A dozen Internet privacy bills were introduced prior to September 11, 2001, but all were abandoned in the wake of the attacks. Instead, the PATRIOT Act was put in place, which led to the NSA’s wide-reaching data gathering practices. Assurances of anonymity have disappeared. The film compares Google’s privacy policy from December 2000 with that from December 2001. In short, the earlier policy clearly states that users’ identities are not traceable through cookies, but the one from a year later indicates that cookies might be able to be used to identify a particular user. That later policy says, in part, “Google will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute or court order.” The film also addresses Facebook’s data retention practice. When users delete or remove content from their profiles, it merely gets flagged as deleted, but it still remains in the Facebook data banks and is accessible to Facebook or government agencies. [ArsTechnica]

US – W3C to Miss July Deadline for DNT

The World Wide Web Consortium (W3C) will not meet its “last call” deadline for putting out a Do-Not-Track proposal for public comment. W3C Co-Chair Peter Swire, CIPP/US, said, “There is not a way to get to last call by the end of July,” adding, “Next Wednesday, we will have a discussion about where we are and next steps.” According to the report, the group still has the opportunity to work on the proposals, but “the talks have turned so acrimonious that it seems unlikely the group will ever agree” on a Do-Not-Track standard for headers sent to browsers. [MediaPost News]

Other Jurisdictions

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. [Bloomberg]

AU – Australian Government Considers Joining Merkel’s Agreement

The Australian government is considering participating in a global data protection agreement put forward by German Chancellor Angela Merkel following revelations of the U.S. National Security Agency’s (NSA) PRISM surveillance program. Meanwhile, Australian Federal Police Commissioner Tony Negus says there is no link between the NSA revelations and Australia’s push for a mandatory data retention regime. In an opinion piece for CNN, Sen. Al Franken (D-MN) writes he’s working on legislation that would require the U.S. government to report annually how it uses surveillance programs, including how citizens’ data is being collected and who sees it. And in another op-ed, former head of the U.S. Justice Department’s Office of Legal Counsel writes that NSA data collection shouldn’t be constrained. [ZDNet]

JP – Railway Company Apologies for Selling PII

Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states. [The Wall Street Journal]

Privacy (US)

US – Industry Groups Push for Federal Breach Notification Law

At a House hearing, industry groups called on Congress to move toward a federal data breach notification law. According to some witnesses, the current patchwork of state notification laws are burdensome for business. Though the hearing was mostly informative, according to the report, House Energy and Commerce Subcommittee Chairman Lee Terry (R-NE) expressed interest in pursuing legislation. Rep. Henry Waxman (D-CA) warned that federal legislation should not undercut state standards that already “have strong breach notification laws.” The Senate last month introduced federal legislation. [The Hill]

US – Legislator Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the Federal Trade Commission to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Court Dismisses Class-Action Claim Against Gaming Site

The U.S. District Court for the Central District of California has dismissed a majority of the claims brought against Blizzard Entertainment, Inc., after a 2012 data breach. Hackers had gained access to customers’ accounts, including e-mail addresses and cryptographically scrambled versions of passwords. Among other allegations, the plaintiffs claimed the company failed to notify users of the breach in a timely manner. The court said the plaintiffs “failed to allege adequate harm.” Meanwhile, a Colorado clinic reports it has fired an employee in its billing department who improperly e-mailed some patients’ protected information to her own personal account. [Mondaq]

US – Digital Advertiser Settles Privacy Violation

Digital marketing company PulsePoint has agreed to settle charges by the acting New Jersey attorney general and the New Jersey Division of Consumer Affairs that it bypassed consumers’ privacy settings in Safari browsers. The company allegedly used cookies to bypass settings that are designed to block targeted ads. Acting New Jersey Attorney General John J. Hoffman said, “This settlement puts online advertisers on notice that they must respect consumers’ privacy settings, or end up paying far more in penalties than any violations would generate in ad revenue.” Another provision of the settlement requires PulsePoint to post its data collection practices on its website. A company spokeswoman said PulsePoint took “user privacy very seriously” and that the cookies in question had been “primarily limited to technical purposes such as fraud detection” and not for targeted ads. [The New York Times]

US – Reddit Joins Lobbying Group

Link-sharing and discussion website Reddit has announced that it has joined the Internet Association, a Washington lobbying group. The association was founded last year and lobbies on topics including surveillance laws, privacy, regulation and cybersecurity. “In spite of reddit being an incredibly effective way to lower workplace productivity, we’ve also seen how online communities can have a transformative economic impact,” said Reddit’s general manager. The Internet Association recently wrote to the U.S. Executive branch and congressional leaders calling for greater transparency on national security-related requests for user data from Internet service providers. [The Hill]

US – The Privacy (and Security) Pro in the White House

Much has been made of Nicole Wong’s appointment to work on privacy matters in the White House under U.S. CTO Todd Park, but there’s another privacy pro in the White House who actually has “privacy” in his title: Ari Schwartz, Director for Cybersecurity Privacy, Civil Liberties and Policy, National Security Staff, who started in the job this past month. The Privacy Advisor gets the first interview with him about his new position. Meanwhile, Politico talks about growing pains for the PCLOB, with which Schwartz will be working closely. [Privacy Advisor]


US – Obama Seeks Industry Incentives, Including Limited Liability

A “preliminary” presentation has been set forth by the Department of Homeland Security that looks into offering incentives to industries that adopt voluntary cybersecurity standards. Potential incentives include tax breaks, cyberinsurance “perks” and protection against legal liability. A White House representative noted the presentation is a “snapshot in time” and it only “reflects some preliminary analysis.” Cybersecurity legislation failed to pass Congress last year so the Obama administration’s cybersecurity executive order relies on industry cooperation. The DHS and National Institute for Standards and Technology are working with business to create a framework. Meanwhile, cybersecurity experts weigh in on the recent announcement that DHS Secretary Janet Napolitano will retire. [POLITICO]

UK – Intelligence Agencies Support Security Assessment for Large Companies

UK intelligence outfits GCHQ and MI5 are supporting an effort from the Department of Business, Skills, and Innovation, that asks the UK’s largest listed companies to take part in a Cyber Governance Health Check. The process involves having the companies’ chairpeople and audit committee heads complete web governance questionnaires. The companies’ audit committees will have the opportunity to discuss security issues discovered, and participating organizations will be able to view anonymized information about other participating organizations. [ZDNet] [] [Telegraph] [ComputerWorldUK]

US – Cybersecurity Bill Draft Is Circulating

There is no shortage of guidance for privacy and security professionals charged with designing and implementing a secure information infrastructure; existing regulations, ISO standards 27001 and 27002 as well as industry-wide practices are just the most prominent sources. But if congressional leaders get their wish, there will soon be yet another source of guidance: the Cybersecurity Framework from the National Institute of Standards and Technology. [Source]

WW – Cyber Insurance Policies on the Rise

Cyber insurance has become increasingly popular among businesses. That’s because of high-profile data breaches at companies including Citigroup and Sony and at governments around the world, the report states. “We’ve reached a threshold where people are now coming to us instead of us going to them,” said one industry executive, adding that his company, Aon Corp., has sold more cyber insurance policies within the last year and a half than in the five years prior. [Live Insurance News]

US – USDA Mobile Device Security Program Not Living Up to Expectations

Officials at the US Department of Agriculture (USDA) say that a mobile device security system it solicited in November 2012 is not functioning as specified in the contract. The solicitation from November 2012 specified “a fully functional 30 day pilot with vendor support … ready to support a minimum of 3,000 mobile devices.” The project is roughly a year behind schedule and parts of the project are incompatible with USDA’s network security infrastructure. The vendors hired for the USDA project are the same as those with which the Pentagon’s Defense Information Systems Agency (DISA) recently signed a three-year, US $16 million contract to provide security for 300,000 mobile devices. Neither DISA nor the Department of Agriculture required verification that the software being purchased is compatible with their existing software – resulting in extreme delays and significant additional costs at Agriculture and probably at DoD as well. [NextGov]

WW – Most Mobile Companies Have Fixed SIM Card Flaw

Nearly all mobile companies have patched a serious flaw that affected more than 500 million phones; the fixes were delivered within 10 days of notification. Karsten Nohl said that his team had found a way to remotely access and control mobile devices’ SIM cards. In some cases, the SIM cards could also be cloned. Attackers could exploit the flaw to eavesdrop on communications, pilfer information from accounts, and commit identity fraud. The attack allowed hackers to obtain SIM cards’ digital keys. The attack involves sending a text message to the SIM card that in certain cases, results in the card returning data that can be decrypted to reveal the key. [NBC News] [The Guardian]

WW – Researchers Hack Into Car Computer

Two security experts have demonstrated how they can hack into an automobile’s computer network to control essential functions, including shutting off the brakes. Charlie Miller, a security engineer at Twitter, and Chris Valasek, an intelligence security director at IOActive, have received a grant from the Pentagon to discover security vulnerabilities in automobiles. “When you lose faith that a car will do what you tell it to do,” Miller said, “it really changes your whole view of how the thing works.” Miller and Valasek plan to share their finding at next month’s Defcon hacker meeting in Las Vegas. A representative from Toyota said the real concern isn’t physically hacking into a car, as the duo have done, but wirelessly hacking into a car. “We believe our systems are robust and secure,” the representative said. [Forbes]

UK – Judge Bans Publication of Paper on Car Security System Hacking

A UK high court judge has ruled that a trio of computer scientists may not publish a paper describing how a weakness in a cryptographic algorithm used to identify automobiles’ ignition keys. The injunction was sought by Volkswagen, which also owns Porsche, Audi, Bentley, and Lamborghini. The Megamos Crypto system, which is discussed in the paper, is used by a number of the luxury car brands. Volkswagen asked that the researchers publish a redacted version of the paper because they maintain the information could be used to steal cars. The researchers say that the information is available online. They also notified the manufacturer of the vulnerable chip nine months ago to give the company time to address the security issues before they planned to present the paper. [ArsTechnica] [BBC] [The Register] []

WW – Governments Ban Lenovo PCs from Accessing Classified Networks

A recent report from Australia’s Financial Review revealed that for the past seven years, the governments of the US, the UK, Australia, New Zealand, and Canada have banned the use of Lenovo PCs to access classified networks. Together, these countries make up the “five eyes” electronic eavesdropping alliance. The ban was prompted by concerns that the Chinese government may have installed backdoors to allow monitoring. Lenovo acquired IBM’s PC division in 2005. When the US State Department purchased 16,000 Lenovo PCs in 2006, legislators’ security concerns resulted in the machines being relegated to use only on unclassified networks. [InformationWeek] [The Register] []

WW – Questionable Apps in Google Play Store

Symantec says that over the last seven months, it has detected more than 1,200 suspicious or questionable apps in the Google Play store for Android. Most are removed from the store shortly after their appearance, but some remain available for several days. The objective of apps can be difficult to discern, especially when they employ several layers to obfuscate their intent. [InformationWeek] [ComputerWorld]

WW – Apple and Samsung Smartphone Antitheft Technologies to be Tested

The “Secure Our Smartphone” initiative asks phone makers to implement technology that will help reduce smartphone theft. This week, state and federal prosecutors in California plan to bring in experts who will try to defeat security measures on smartphones provided by Apple and Samsung. Apple’s iPhone 5 will have the “Activation Lock” feature enabled, and Samsung’s Galaxy S4 will come with the LoJack for Android feature. Federal prosecutors are still hopeful that the companies will eventually manufacture smartphones with kill switches. [CNET] [ComputerWorld]

WW – Cybersecurity Moved From 12th to 3rd Place on Lloyd’s Risk Index List

Lloyd’s Risk Index 2013 places cybersecurity near the top of the list of risk factors faced by businesses. Risk of cyber incidents was ranked twelfth in the 2011 Index and has moved, in three years, to third, following only high taxation and loss of customers. Cyber issues top the list of political, crime, and security risks. This may be attributable to increased politically and ideologically motivated attacks and the increased cost associated with attacks. The report questions whether organizations “are spending money on the right things” to effectively address cybersecurity, and posits that spending money on security measures and making sure that security recommendations are implemented might be a better investment than purchasing insurance policies that cover cyberattacks. An April 2013 report from the Insurance Information Institute suggests that about two-thirds of cyber incidents are due to issues within organizations’ control. [Lloyds Risk Index] [Lloyds Press Release] [Lloyds Report]


US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance.

US – NSA Amendment Voted Down In House

In a close vote, the U.S. House of Representatives defeated an amendment that would have prevented the National Security Agency from collecting large volumes of phone records. The 205-217 vote followed “impassioned debate over citizens’ right to privacy and the steps government must take to protect national security.” Rep. Jerrold Nadler (D-NY) said of Section 215, the provision under which the NSA collects phone metadata, “It’s going to end—now or later…The only question is when and on what terms.” Rep. Mike Rogers (R-MI) said he would draft legislation in the coming months to add more privacy protections to government surveillance programs. In an op-ed for The Times, David Brin writes of increased surveillance: “You can either fight this new era, or embrace it.” [The New York Times]

US – US House Defeats Measure to Rein In NSA Data Collection

By a narrow margin, the US House of Representatives voted down an amendment to the DoD Appropriations Act of 2014 that would have restricted the NSA’s authority for bulk collection of phone record metadata. Under the defeated amendment, the NSA would still have had the authority to collect phone records of suspects related to anti-terrorism investigations. The White House opposed the amendment, saying “this blunt approach is not the product of an informed, open, or deliberative process.” [WIRED] [ArsTechnica] [ZDNet] [ComputerWorld] [The Atlantic]

CA – Ontario Commissioner Discusses Dangers of Metadata

The Ontario Information and Privacy Commissioner Ann Cavoukian discusses the term “metadata,” frequently used since revelations of the U.S. National Security Agency’s surveillance program. While government officials defend the use of metadata, claiming it isn’t privacy invasive because it doesn’t access telecommunications content, Cavoukian says this is “fanciful thinking–perpetuating a myth that is highly misleading. The truth is that collecting metadata can actually be more revealing than accessing the content of our communications.” Cavoukian has also published a white paper on the topic.[Toronto Star]

US – Court Renews NSA’s Authority to Gather Phone Metadata

The US Foreign Intelligence Surveillance Court has renewed its order granting the National Security Agency (NSA) authority to collect metadata from telecommunications companies. The decision to renew the program was made “in light of the significant and continuing public interest in the telephony metadata collection program.” The order does not allow access to content of phone calls or the identity of subscribers. [ComputerWorld] [ZDNet] [Ars Technica]

US – US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights

The US government has responded to a series of lawsuits challenging the NSA’s authority to snoop on phone records, saying that the intelligence agency’s activity cannot be challenged in court. The Obama administration maintains that the actions do not violate citizens’ constitutional rights and are conducted in the “public interest.” [WIRED] [US DOJ Filing]

US – NSA Adopts Procedures to Protect Data on its Networks

New rules adopted by the National Security Agency (NSA) aim to protect the top-secret data stored on its networks. A “two-man rule” requires that two systems administrators to work together when accessing systems containing highly classified data. The system is based on a similar procedure used in the handling of nuclear weapons. The NSA also plans to implement strong encryption for its most sensitive data. [NY Times]

NZ – Bill Would Expand NZ Intelligence Agency’s Domestic Surveillance

New Zealand’s parliament is poised to pass legislation that gives the Government’s Communications Security Bureau (GCSB) broader surveillance powers, including the authority to wiretap New Zealand citizens’ communications. GCSB’s domestic surveillance activity gained attention last year after it tapped communications of Megaupload founder Kim Dotcom, an action found to be illegal because Dotcom was a resident of the country. Public opposition to the bill is growing. [The Register] [] [NZHerald]

Telecom / TV

US – NJ Supreme Court: Get a Warrant for Cellphone Info

The New Jersey Supreme Court ruled that law enforcement must acquire a warrant prior to obtaining tracking information from a suspect’s cellphone. The ruling “puts the state at the forefront of efforts to define the boundaries around a law enforcement practice” that has divided courts around the country, and the issue will likely end up before the U.S. Supreme Court. Meanwhile, a House appropriations panel has unanimously adopted an amendment that would require law enforcement to get a warrant before accessing e-mail and other online messages. The amendment was added to the Fiscal Year 2014 Financial Services and General Government Appropriations bill and the privacy requirement covers the Internal Revenue Service, the Securities and Exchange Commission and other regulatory agencies. [The New York Times] [Text of decision]

US – Appeals Court Says No Warrant Required for Accessing Location Data

The US Fifth Circuit Court of Appeals in New Orleans, Louisiana, has ruled that law enforcement agents do not require warrants to track suspects’ locations through cell phone records. The ruling overturns an order from a federal judge in Texas. The new ruling indicates that cell phone records are the property of the carrier and are therefore not subject to reasonable expectation of privacy under the Fourth Amendment. Instead, the information is considered a business record. A court order is still required to search the records, but the requirements for obtaining a court order are less stringent than those for obtaining a search warrant. The Louisiana court cited the Stored Communications Act in support of its ruling. [CNET] [ComputerWorld] [ArsTechnica] [The Atlantic] [Text of Decision]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate] See also: [WSJ: Judges Ask Supreme Court to Take On Cell-Phone Searches]

US – Razor-Thin House Vote Prompts Privacy Action

A “razor-thin defeat” of a congressional measure to curb domestic surveillance and the subsequent reaction from lawmakers and privacy advocates. One former NSA analyst-turned-whistleblower said, “It doesn’t mean the end of it. It’s the beginning.” Sen Patrick Leahy (D-VT) announced the Senate Judiciary Committee will hold a hearing next week entitled, “Strengthening Privacy Rights and National Security: Oversight of FISA Surveillance Programs.” Rep. Adam Schiff (D-CA) is crafting legislation to create a special privacy advocate to appear in front of the FISA court as an “adversary.” The New York Times delves into the FISA court judges and the role played by Chief Justice John Roberts in choosing them. [The Guardian]

US – PCLOB To Meet With Private Sector

The Privacy and Civil Liberties Oversight Board (PCLOB) is slated to meet with Internet and telecommunications companies to determine what data and access to company servers they’ve provided to the U.S. government, Bloomberg reports. The move comes after the PCLOB held a hearing last week with privacy experts and former government officials. “It’s valuable to hear company perspectives on how the programs operate,” said PCLOB Chairman David Medine. “We want to hear both sides of it. We want to hear the government side, but we also want to hear the private-sector side.” Also, the PCLOB is getting reinforcements: Sharon Bradford Franklin is leaving The Constitution Project to join the board as executive director, The Hill reports. Meanwhile, a coalition of Internet companies and civil liberties groups are calling on the Obama administration and Congress to expand the disclosure of U.S. government surveillance programs. [Source]

US Government Programs

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

A recent Senate Judiciary Committee hearing saw senators from both sides of the aisle press representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [Privacy Advisor]

US – Senators Aim to Change NSA’s Data Collection Practices

Undeterred by a recent House vote that failed to restrict NSA’s data gathering practices, a number of US senators say they plan to introduce legislation that will focus on the NSA’s phone data collection practices. The legislators say they want to make the NSA’s activity more transparent. Senator Al Franken (D-Minnesota) plans to introduce a bill that will require the NSA and other intelligence agencies to disclose the number of people whose information they have collected, and allow companies to disclose the numbers of surveillance requests made by government agencies. Senator Richard Blumenthal (D-Connecticut) will seek changes at the Foreign Intelligence Surveillance Court, adding the presence of public advocate lawyers. Senator Dianne Feinstein (D-California) wants the length of time that the data are held reduced from five years to two or three years. [ComputerWorld] [Ars Technica]

US – Documents Show Lawmakers Knew of NSA Data Gathering

Documents released by US intelligence officials earlier this week show that legislators were aware of the NSA’s wide-reaching data collection practices, but were prohibited from discussing the issue. The intent of releasing the information is to “allay concerns that the Obama administration was overstepping its legal authority.” [WIRED]

US – NSA Chief Defends Data Gathering Programs, Asks Disagreers to Help

In his keynote address at the Black Hat security conference in Las Vegas, NSA chief General Keith Alexander defended the agency’s data collection and surveillance practices. Alexander maintained that there have been “zero abuses of NSA PRISM,” and that the data gathering is an essential part of fighting terrorism. He said that the data collection programs have been mischaracterized, and that the allegations that they are “collecting everything [are] not true.” Alexander noted that queries of the collected phone call metadata are restricted. Alexander also told audience members, “If you disagree with what we’re doing, you should help us [make it better].” [WIRED] [ArsTechnica] [CNN] [SC Magazine] [NextGov] [CNN] The General’s entire keynote, defending NSA’s practices, is available on YouTube at the official BlackHat channel ]

US Legislation

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013 —which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Hearing on Breach Notification

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing that saw industry groups pushing for a federal data breach notification law. Bloomberg reports that the push aims to create one streamlined process to preempt the differing requirements in 46 states and the District of Columbia. Corporate Counsel reports this is the fourth time in eight years the house has considered such a law. “The subcommittee called six witnesses representing technological and telecommunications trade groups, privacy software companies, and academia,” all of whom advocated for a federal standard, but differed on how it should read.

US – Hulu Argues No VPPA Violation

The online streaming company Hulu is facing a potential class-action lawsuit for violating the Video Privacy Protection Act (VPPA) for disclosing its customers viewing habits. While the company admits to sharing the information, it argues in court papers that because the data is associated with an ID number and not personal information there is no violation. “The consumers alleged in their lawsuit that third parties could figure out people’s identities from their User IDs, given that Hulu included the User ID in the Web page addresses of users’ profile pages.” Hulu claims in the court papers to have stopped this practice two years ago. [MediaPost]

US – Judge Orders Google to Reveal Blogger

A Manhattan judge says there is compelling enough evidence to unveil the identity of an anonymous blogger who has created blogs titled and “The web blogs…are causing actual, pecuniary injury to Mr. Schulman’s reputation as a zealous advocate for consumers against debt collection companies,” states Schulman’s court petition. Google questioned the necessity of revealing the bloggers identity, but the judge has ordered them to do so, though Schulman has yet to even file a defamation suit. The blogger has an opportunity to challenge the discovery, according to the report. Unless that happens, Google has two weeks to comply. [Wall Street Journal]

US – Congressmen Introduce Bill to Curb ID Theft of Deceased

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720 to address the privacy of recently deceased individuals. “The bill would mandate that, starting January 2014, only death information older than three years would be made publicly available through the (Social Security Administration’s Death Master File), which will prevent criminals from filing fraudulent tax returns before the legitimate family files its return,” states the press release.

US – Bill To Spur EHR integration Between DoD and VA

Sen. Bill Nelson (D-FL) introduced The Servicemembers’ Electronic Health Record Act of 2013 (S. 1296), to set a one-year timeline for the integration of electronic health records between the Department of Defense and the Department of Veterans’ Affairs, among other things. The bill would amend the Wounded Warrior’s Act and requires the agencies to create standard forms and methods for data sharing, including giving consideration to storing data in the cloud. According to the report, a similar bill has been proposed in the Senate (H 2590), which has 44 co-sponsors and has been referred to the House Armed Services and Veteran’s Affairs Committees. [FierceEMR]

US – Judge Allows Orgs to Seek Dismissal of Wyndham Lawsuit

In a closely watched case, a federal judge in New Jersey will allow the U.S. Chamber of Commerce and other organizations to seek dismissal of a lawsuit filed by the Federal Trade Commission (FTC) against Wyndham Worldwide Corp. TechFreedom’s Berin Szoka said, “The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law.” As a consequence, companies do not have much by way of guidance from the FTC for what constitutes deceptive and unfair practices. University of California Berkeley Prof. Chris Hoofnagle said the dismissal is a “Hail Mary effort to stop the FTC from enforcing its unfairness power.” [ComputerWorld]

US – Lawmakers Preparing Legislation in the Wake of NSA Surveillance

In light of NSA surveillance programs that have recently garnered the world’s attention, Sen. Al Franken (D-MN) is drafting legislation that he writes “will require the federal government to annually report how it uses key authorities under the Patriot Act and the Foreign Intelligence Surveillance Act, including the authorities underlying the phone metadata and the PRISM electronic surveillance programs that recently came to light.” Rep. Mike Rogers (R-MI), chairman of the House Intelligence Committee, said on Wednesday that he would draft legislation in the coming months to add more privacy protections to government surveillance programs. According to The Huffington Post, Rep. Adam Schiff (D-CA) is preparing legislation that would create a privacy advocate to appear in front of the Foreign Intelligence Surveillance Court. This newest draft is the third proposal in Schiff’s push to reform the FISA court. He has also drafted laws “to declassify and publish the court’s opinions and to shift the power to choose its 11 judges from the Supreme Court’s chief justice to the president,” the report states.

US – CA Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert for Technology’s Legal Edge. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. Full Story

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records, Bloomberg reports. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. Full Story

UK – ICO Says License-Plate Cameras Broke Law

The Hertfordshire Constabulary’s use of seven cameras to monitor traffic coming and going from the town is against the law, reports BBC. The force failed to carry out a privacy impact assessment, and according to the head of enforcement at the Information Commissioner’s Office, “The use of ANPR (automatic number plate recognition) cameras and other forms of surveillance must be proportionate to the problem it is trying to address. After detailed inquiries…we found that this simply wasn’t the case in Royston.” The police have been ordered to remove the cameras unless they can justify the use.